J.-S. Pan, S.-M. Chen, N.T. Nguyen (Eds.): ACIIDS 2012, Part II, LNAI 7197, pp. 560–569, 2012. © Springer-Verlag Berlin Heidelberg 2012

On Cloud Computing Security Issues

Ainul Azila Che Fauzi, A. Noraziah, Tutut Herawan, and Noriyani Mohd. Zin

Faculty of Computer System and Software Engineering Universiti Malaysia Pahang

Lebuhraya Tun Razak, Gambang 26300, Kuantan, Pahang, Malaysia ainulazila@yahoo.com, {noraziah,tutut}@ump.edu.my,

noriyanimz@gmail.com

Abstract. The cloud is a next generation platform that provides dynamic resource pools, virtualization, and high availability. The concept of cloud computing is using a virtual centralization. This means, in one part, we have a full control on data and processes in his computer. On the other part, we have the cloud computing where the service and data maintenance is provided by vendors. The client or customers usually unaware about the place where processes are running or the data is stored. So, logically speaking, the client has no control over it. This is the reason cloud computing facing so many security challenge. In this paper, we presented selection issues in cloud computing and focus on the security issues. There are four cloud computing security issues that will be focused, namely XML signature, browser security, cloud integrity and binding issues and flooding attacks. Data security on the cloud side is not only focused on the process of data transmission, but also the system security and data protection for those data stored on the storages of the cloud side. There are some considerations that need to be focused in order to achieve better safe environment in cloud computing such as storage and system protection and data protection. In order to achieve better performance in security, cloud computing needs to fulfill five goals which are availability, confidentiality, data integrity, control and audit. By implementing these goals, we hope data security in cloud computing will be more secure. We also hope that cloud computing will have a bright future with arise of a large number of enterprises and will bring an enormous change in the Internet since it is a low-cost supercomputing to provide services.

Keywords: Cloud computing, Services, Issues, Security.

1 Introduction

Computer has been changed in its evolution form several times, as learned from its previous events. However, the trend turned from larger and more expensive, to slighter and more affordable commodity PCs and servers which are tired together to construct something called cloud computing system [1]. Furthermore, cloud has advantages in offering more scalable, fault-tolerant services with even higher performance. Cloud computing integrates and provides different types of services

On Cloud Computing Security Issues 561

such as Software-as-a-Service (SaaS), the applications are delivered as services over the Internet; Platform-as-a- Service (PaaS) systems software made available over the Internet and Infrastructureas-a-Service (IaaS), when the hardware made available for cloud users. The requirements and demands from users for cloud services vary, resulting in complex design and deployment of resources [2]. However, there still exist many problems in cloud computing today, a recent survey shows that data security and privacy risks have become the primary concern for people to shift to cloud computing because the data is stored as well as processing somewhere on to centralized location called data centers. So, the clients have to trust the provider on the availability as well as data security. Even more concerning, though, is the corporations that are jumping to cloud computing while being oblivious to the implications of putting critical applications and data in the cloud. Moving critical applications and sensitive data to a public and shared cloud environment is a major concern for corporations that are moving beyond their data center’s network perimeter defense [3]. To alleviate these concerns, a cloud solution provider must ensure that customers can continue to have the same security and privacy controls over their applications and services by providing evidence to these customers that their organization and customers are secure. Besides, they also need to show that they can meet their service-level agreements, and show how they prove compliance to their auditors [4]. This paper will explore the key concepts and ideas surrounding cloud computing and will be focusing at the security challenges within the cloud computing prototype. The rest of this paper is organized as follows: Section 2 discusses the literature; Section 3 focuses on security in cloud computing; Finally, Section 4 is the conclusion from the finding.

2 Related Works

2.1 Cloud Computing

Cloud computing is a technology which using internet and central remote servers in order to maintain data and applications. A simple example of cloud computing is Yahoo email or Gmail. User doesn’t need software or a server to use them. [5]. The service is fully managed by the provider which means user only needs personal computer and Internet access [5].

2.2 Cloud Computing Issues

In the last few years, cloud computing has grown from being a promising business concept to one of the fastest growing segments of the IT industry. Now, recession-hit companies are increasingly realizing that simply by tapping into the cloud they can gain fast access to best-of-breed business applications or drastically boost their infrastructure resources, all at negligible cost [6]. So, the concerns are beginning to grow about how safe an environment it is for everyone. There are several issues that will be highlighted in this paper.

562 A.A. Che Fauzi et al.

2.2.1 Privacy Cloud computing utilizes the virtual computing technology, users’ personal data may be scattered in various virtual data center rather than stay in the same physical location. At this time, data privacy protection will face the controversy of different legal systems even across the national borders. Attackers can analyze the critical task depend on the computing task submitted by the users [7].

2.2.2 Reliability The cloud servers also experience downtimes and slowdowns but what the difference is that users have a higher dependent on cloud service provider (CSP) in the model of cloud computing. There is a big difference in the CSP’s service model. Once you select a particular CSP, you may be locked-in, thus bring a potential business secure risk [6].

2.2.3 Legal Issues Regardless of efforts to bring into line the lawful situation, as of 2009, supplier such as Amazon Web Services provide to major markets by developing restricted road and rail network and letting users to choose “availability zones” [8]. On the other hand, worries stick with safety measures and confidentiality from individual all the way through legislative levels.

2.2.4 Open Standard Open standards are serious to the growth of cloud computing. Most cloud providers expose APIs which are typically well-documented and unique to their implementation thus not interoperable. Some vendors have adopted others' APIs [9] and there are a number of open standards under development. The Open Cloud Consortium (OCC) [10] is working to develop consensus on early cloud computing standards and practices.

2.2.5 Compliance Managing Compliance and Security for Cloud Computing, provides insight on how a top-down view of all IT resources within a cloud-based location can deliver a stronger management and enforcement of compliance policies. In addition to the requirements to which customers are subject, the data centers maintained by cloud providers may also be subject to compliance requirements [10].

2.2.6 Freedom Cloud computing does not allow users to physically possess the storage of the data, leaving the data storage and control in the hands of cloud providers. Customers will argue that this is pretty fundamental and affords them the ability to retain their own copies of data in a form that retains their freedom of choice [2].

2.2.7 Security In the cloud, your data will be distributed over these individual computers regardless of where your base repository of data is ultimately stored. Industrious hackers can

On Cloud Computing Security Issues 563

invade virtually any server. There are the statistics that show that one-third of breaches result from stolen or lost laptops and other devices. Besides, there also some cases which from employees’ accidentally exposing data on the Internet, with nearly 16 percent due to insider theft [6].

3 Security in Cloud Computing

3.1 Goals in Cloud Computing

Traditionally, cloud computing has five goals that need to be fulfilling in order to achieve an adequate security.

3.1.1 Availability The goal of availability for Cloud Computing systems is to make sure users can use them at any time and place. As we know, Cloud Computing system enables its users to access the system from anywhere as long as they have internet connection. This principle is valid for all the Cloud Computing services. There are two strategies that are mostly used to enhance the availability of cloud computing which are hardening and redundancy.

In addition, current Cloud system vendors such as Amazon and Skytab, offer the ability to block and filter traffic based on IP address and port only to secure their systems. These security control strategies are hardened into to their virtual machine, which in turn enhances availability of the provided infrastructure.

For redundancy, large cloud computing system vendors offer geographic redundancy in their cloud systems so that they can enable the high availability on a single provider. For example, Amazon builds data centers in numerous regions and various availability zones within those regions. Availability zones are distinct locations that are engineered to be insulated from failures in other availability zones and provide inexpensive, low latency network connectivity to other availability zones in the same region. One can protect applications from failure of a single location using instances in separate availability zones. That’s to say, Cloud system has capability in providing redundancy to enhance the high availability of the system in nature [1].

3.1.2 Confidentiality The confidentiality in cloud systems is a big obstacle for users to step into it. Currently, cloud computing system offers services that are basically public to networks.

Consequently, keeping all confidential data of users’ secret in the cloud will attract even more users as this is a fundamental requirement. In order to achieve such confidentiality, there are two basic approaches namely physical isolation and cryptography. As discussed, cloud system services are transmitted through public networks. So, no physical isolation could be achieved. Alternatively, Virtual Local Area Networks should be deployed to achieve the virtual physical isolation [11].

564 A.A. Che Fauzi et al.

Encrypted storage is another choice to enhance the confidentiality. For example, encrypting data before placing it in a Cloud may be even more secure than unencrypted data in a local data center [1].

3.1.3 Data Integrity Keeping data integrity is a fundamental task as data is the base for providing cloud computing services. Cloud computing system usually provides massive data procession capability. Herein, massive data means many Tera Bytes (TB) data or even Peta Bytes (PB) data in volume. The challenge is the current development of state for hard disk drivers. The capacity increases are not keeping pace with the data growth. As a result, vendors need to increase the population of hard drives to scale up the data storage in the Cloud Computing systems. Consequently, this may increase high probability of node failure, disk failure, data corruption or even data loss. Second challenge is disk drives are getting bigger and bigger in terms of their capacity, but not getting much faster in terms of data access [1].

3.2 Cloud Computing Security Issues

There are four cloud computing security issues that will be focus in this paper namely XML signature, browser security, cloud integrity and binding issues and flooding attacks.

3.2.1 An XML Signature XML Signature Element Wrapping is a well known type of attacks on protocols using XML Signature for authentication or integrity protection [12]. This of course applies to Web Services and therefore also for Cloud Computing.

Figures 2 and 3 show a simple example for a wrapping attack to illustrate the concept of this attack. The first figure presents a SOAP message sent by a legitimate client. The SOAP body contains a request for the file “me.jpg” and was signed by the sender. The signature is enclosed in the SOAP header and refers to the signed

Fig. 1. Example SOAP message with signed SOAP body

On Cloud Computing Security Issues 565

Fig. 2. Example SOAP message after attack

message fragment using an XPointer to the Id attribute with the value “body”. If an attacker eavesdrops such a message, he can perform the following attack. The original body is moved to a newly inserted wrapping element (giving the attack its name) inside the SOAP header, and a new body is created. This body contains the operation the attacker wants to perform with the original sender’s authorization, here the request for the file “cv.doc”. The resulting message still contains a valid signature of a legitimate user, thus the service executes the modified request [13].

3.2.2 Browser Security In a Cloud, computation is done on remote servers. The client PC is used for I/O and for authentication and authorization of commands to the Cloud. Therefore, it does not make sense to develop client software but have to use a universal platform independent tool for I/O which is a Web browser.

Modern Web browsers with their AJAX techniques are ideally suited for I/O but not really suited for security. Web browsers can not directly make use of XML Signature or XML Encryption. Data can only be encrypted through Transport Layer Security (TLS), and signatures are only used within the TLS handshake. TLS has been introduced, under its more common name “Secure Sockets Layer (SSL)”, by Netscape in 1996. It consists of two main parts: The Record Layer encrypts/decrypts TCP data streams using the algorithms and keys negotiated in the TLS Handshake, which is also used to authenticate the server and optionally the client. Today it is the most important cryptographic protocol worldwide, since it is implemented in every web browser [13].

3.2.3 Cloud Integrity and Binding Issues Maintaining and coordinating instances of virtual machines (IaaS) or explicit service implementation modules (PaaS) are the responsibility of a cloud computing system. Cloud system is responsible for determining and eventually instantiating a free-to-use instance of the requested service implementation type on request of any user. Then, the address for accessing that new instance is to be communicated back to the requesting user. Generally, this task requires some metadata on the service implementation modules, at least for identification purposes. For the specific PaaS

566 A.A. Che Fauzi et al.

case of Web Services provided via the Cloud, this metadata may also cover all Web Service description documents related to the specific service implementation. For instance, the Web Service description document itself should not only be present within the service implementation instance, but also be provided by the cloud system in order to deliver it to its users on demand. Most of these metadata descriptions are usually required by any user prior to service invocation in order to determine the appropriateness of a service for a specific purpose. Thus, these metadata should be stored outside of the Cloud system, resulting in a necessity to maintain the correct association of metadata and service implementation instances [13].

3.2.4 Flooding Issues A major aspect of Cloud Computing consists in outsourcing basic operational tasks to a cloud system provider. Among these basic tasks, one of the most important ones is server hardware maintenance. Thus, instead of operating an own, internal data center, the paradigm of cloud computing enables companies which is users to rent server hardware on demand (IaaS). This approach provides valuable economic benefits when it comes to dynamics in server load, as for instance day-and-night cycles can be attenuated by having the data traffic of different time zones operated by the same servers. Hence, instead of buying sufficient server hardware for the high workload times, cloud computing enables a dynamic adaptation of hardware requirements to the actual workload occurring. Technically, this achievement can be realized by using virtual machines deployed on arbitrary data center servers of the cloud system. If a company’s demand on computational power rises, it simply is provided with more instances of virtual machines for its services.

Unfortunately, under security concerns, this architecture has a serious drawback. Though the feature of providing more computational power on demand is appreciated in the case of valid users, it poses severe troubles in the presence of an attacker. The corresponding threat is that of flooding attacks, which basically consist in an attacker sending a huge amount of nonsense requests to a certain service. In the specific case of cloud computing systems, the impact of such a flooding attack is expected to be amplified drastically. This is due to the different kinds of impact, which are discussed next [13].

3.3 Security Approach in Cloud Computing Security Issues

3.3.1 Security Issue of Enterprises Adopting the Application of Cloud Computing Data security on the cloud side is not only focused on the process of data transmission, but also the system security and data protection for those data stored on the storages of the cloud side. The service provider has to pay attention to find out the possible occurred problems and possess the capability of perfect database and file management especially when there are a lot of users on the client side of the cloud computing accessing the same folders or even the same files on the cloud side. There are some considerations that need to be focused in order to achieve better safe environment in cloud computing which are storage and system protection and data protection

On Cloud Computing Security Issues 567

The service provider of cloud computing must present the necessary documents for the third party that plays the role of supervisory for auditing as a process defined in the specification of physical security. The user of cloud computing should also adopt the specification of physical security to watch over the physical retrieval procedure of the storage on the cloud side. Record the whole abolishing process including the abolishing location, verification procedure, and the process of demagnetization and recycling at the resource recycling station by video-taping as a reference or evidence. Besides, an enterprise of the user of cloud computing should also pay attention to the data security on the storage. Confidential file or sensitive data should be encrypted by the enterprise before uploading. After then, those encrypted data could be uploading to the storage designated and provided by service provider of the cloud computing through secure channel as shown in Figure 4 [14].

Fig. 3. Diagram of data encryption scheme before uploading

3.3.2 Digital Signature with RSA Encryption Algorithm to Enhance the Data Security of Cloud in Cloud Computing

This scheme is proposed to ensure the security of data in cloud. Till now, it is the only asymmetric algorithm used for private/public key generation and encryption. Both digital signature scheme and public key cryptography are included to enhance the security of cloud computing [15].

Assuming there are two enterprises A and B. An enterprise A has a public cloud with data, software’s and applications. Company B wants a secure data from A’s Cloud. Here, we will send a secure data to B by using Digital signature with RSA algorithm.

a. Step 1: A takes a document that B needs from cloud. b. Step 2: The document will be crunched into few lines by using some Hash

function the hash value is referred as message digest (refer Figure 4). c. Step 3: A’s software then encrypts the message digest with its private key. The

result d. is the digital signature (refer Figure 5) e. Step 4: Using RSA Algorithm, A will encrypt digitally signed signature with B’s

568 A.A. Che Fauzi et al.

f. public key and B will decrypt the cipher text to plain text with its private key and A g. public key for verification of signature (refer Figure 6).

Fig. 4. Document crunched into message digest

Fig. 5. Encryption of message digest into Signature

Fig. 6. Encryption of Digital Signature into Cipher text browser

4 Conclusion

In this paper, we have presented a selection of issues in cloud computing and focusing more on security issue. This is because security issues indicate problems which might arise from time to time. It is very important to take security and privacy into account when designing and using cloud services. We also discussed the approaches in order to enhance the cloud computing security issues such as fulfilling the five goals which are availability, confidentiality, data integrity, control and audit in cloud computing. From our observations, a first good starting point for improving cloud computing security consists of strengthening the security capabilities of both Web browsers and Web Service frameworks. In addition, cloud computing will bring a revolutionary change in the Internet since it has announced a low-cost supercomputing to provide services. Whereas there are a large number of enterprises behind, there are no doubt that cloud computing has a bright future.

On Cloud Computing Security Issues 569

Acknowledgement. This work is supported by Postgraduate Research Grant Scheme by Universiti Malaysia Pahang.

References

1. Armbrust, M., Fox, A., Griffith, R., Joseph, A.D., Katz, R.H., Konwinski, A., Lee, G., Patterson, D.A., Rabkin, D., Stoica I., Zaharia, M.: Above the clouds: A Berkeley view of cloud computing. Technical report UC Berkeley Reliable Adaptive Distributed Systems Laboratory (2009)

2. Minqi, Z., Rong, Z., Wei, X., Weining, Q., Aoying, Z.: Security and Privacy in Cloud Computing: A Survey. In: The Proceeding of Sixth International Conference of Semantics Knowledge and Grid (SKG 2010), pp. 105–112 (2010)

3. Chang-Lung, T., Uei-Chin, L., Chang, A.Y., Chun-Jung, C.: Information security issue of enterprises adopting the application of cloud computing. In: The Proceeding of Sixth International Conference Networked Computing and Advanced Information Management (NCM 2010), pp. 645–649 (2010)

4. Tharam, D., Chen, W., Elizabeth, C.: Cloud computing: issues and challenges. In: The Proceeding of 24th IEEE International Conference on Advanced Information Networking and Applications AINA, pp. 27–33 (2010)

5. http://searchcloudcomputing.techtarget.com/definition/cloud-computing

6. Pooja, T.: Demystifying Cloud Computing, http://www.technology-digital.com/blogs/editor/demystifying-cloud-computing (retrieved on January13, 2011)

7. Jianfeng, Y., Zhibin, C.: Cloud Computing Research and Security Issues. In: The Proceeding of International Conference on Computational Intelligence and Software Engineering (CiSE), pp. 1–3 (2010)

8. Brockmeier, J.: Eucalyptus Completes Amazon Web Services Specs with Latest Release, http://ostatic.com/blog/eucalyptus-completesamazon-web-services-specs-with-latest-release (retrieved on January 17, 2011)

9. Open Cloud Consortium, http://opencloudconsortium.org/home/ (retrieved on January 17, 2011)

10. Bardin, J.: Security Guidance for Critical Areas of Focus in Cloud Computing, http://www.cloudsecurityalliance.org/guidance/csaguide.pdf (retrieved on January 13, 2011)

11. Brodkin, J.: Gartner: Seven cloud-computing security risks, http://www.infoworld.com/d/security-central/gartner-seven-cloud-computingsecurity-risks-853 (retrieved on January 11, 2011)

12. Gantz, J.F., Chute, C., Manfrediz, A., Minton, S., Reinsel, D., Schlichting, W., Toncheva, A.: The diverse and exploding digital universe, IDC Future Report, 1–12 (2008)

13. Jensen, M., Schwenk, J., Gruschka, N., Iacono, L.L.: On Technical Security Issues in Cloud Computing Cloud Computing. In: The Proceeding of IEEE International Conference on Cloud Computing CLOUD 2009, pp. 109–116 (2009)

14. Somani, U., Lakhani, K., Mundra, M.: Implementing digital signature with RSA encryption algorithm to enhance the Data Security of cloud in Cloud Computing. In: The Proceeding of 1st International Conference on Parallel Distributed and Grid Computing (PDGC 2010), pp. 211–216 (2010)

15. Wood, K., Pereira, E.: An investigation into cloud configuration and security. In: The Proceeding of International Conference Internet Technology and Secured Transactions (ICITST), pp. 1–6 (2010)