A security tool for the cloud computing, called CyberGuarder proposed in [59] provides virtual network security through the deployment of virtual network devices. Inform. Moreover, the data recovery vulnerability must be, The customers due to many reasons may want to migrate the digital assets to some other cloud. The Cloud System can exist situate up particularly for a firm, organization, institution. 1963 0 obj <>/Filter/FlateDecode/ID[<48D2CB51F1FD30498BE1E9B1A30B6374><3AE7A11B581EB64EA237FCAFA2557F2D>]/Index[1951 21]/Info 1950 0 R/Length 71/Prev 509310/Root 1952 0 R/Size 1972/Type/XRef/W[1 2 1]>>stream Resources on the cloud can be accessed through internet without self built infrastructure. Parallel Distrib. Based on the security requirements and attacks against cloud computing, we systematically summarize the current security protection mechanisms and further make a comparison among them. 5th International Conference on Network and System Security (NSS), 2011, pp. on each other. Vasilakos, Security and privacy for storage and computation in cloud computing, Inform. F. Liu, P. Shu, H. Jin, L. Ding, J. Yu, D. Niu, B. Li, Gearing resource-poor mobile devices with powerful clouds: architectures, challenges, and applications, Q. Liu, G. Wang, J. Wu, Time-based proxy re-encryption scheme for secure data sharing in. The SPECS articulates the architecture only and makes use of established work to carry out the phases of the SLA life cycle. M. Sookhak, H. Talebian, E. Ahmed, A. Gani, M.K. The SaaS enables the customers to use CSP’s applications, running on the cloud infrastructure, through the Internet. The proposed framework migrates both the static and dynamic security contexts to ensure the same secu-, rity status for a VM on the destination host as was present at the source. et al. virtual networks raise some unique security concerns in addition to the concerns faced by conventional physical networks. This Thesis discusses security and privacy problems in cloud computing, and identifies some of the known solutions for selected problems. This paper develops an effective radix trie (RT) with Bloom Filter (BF) based secure data deduplication model, abbreviated as SDD-RT-BD. THE WHITE BOOK OF… Cloud Security Contents Preface 4 Acknowledgments 5 1: Is Cloud Computing Secure? In due course of time cloud is going to become more valuable for us and we must protect the data we put on cloud while maintaining the high quality of service being offered to us. The, integrity of the platform is ensured before moving any application to it. An increase in rate of warning generations is treated as a security threat, that activates the actuator module for reaction according to the security policies. The Splitvisor executes in root, mode and is responsible for isolating multiple Guestvisors. Comput. h�bbd``b`� k���`��TA� V�`T��@��H$Like`bd��e`�M���� � �k The algorithm performs the renegotiation and scrutinizes, the obtainable services at runtime as a replacement to the canceled or problematic service. In the requirement engineering phase, the team members work to get the user requirements, comprehend them and specify them for the next process. It may seem daunting at first to realize that your application The security solutions have also been presented in, cussed comprehensively and overview of the cloud technology is missing. It can also be observed that trusted computing can form a good basis of providing, secure and trusted platforms because of the fact that it secures the platform right from the boot time and, the states periodically. Furthermore, we unpack three major contingency factors, i.e., client-provider ratio, specificity, and service delivery model, which influence the reasonability and configuration of the cloud management processes. Therefore, insecure APIs can be troublesome for both the cloud and the users. The VM, . Due to increased use of smart-, phones and mobile devices, the MCC has also taken off. Violation of integrity may also result from multi-tenant nature of, the cloud. 877–883. legalities, and physical locations of the data. standards that could be (or become) relevant. The assessment of, recorded activities is performed by the evaluator. Different users may access the same application, Broken Authentication and Session Management, . This section provides a brief discussion on the security issues having roots in the MCC paradigm and, The MCC has its foundations in the traditional cloud computing, therefore, all the security issues discussed in Section, become inherited to the MCC. 8. The overarching aim of this paper, therefore, is to present a detailed analysis of the cloud computing security problem, from the perspective of cloud architectures and the cloud service delivery models. This avoids the cross tenant attack on the virtual network. The sequence of attributes can be decided accord-. In this paper, we introduce a new concept, Collaborative UAVs Cloud, to simplify the efforts and reduce the time and cost needed to develop collaborative UAVs applications. It is noteworthy that the security solutions that are to be, end will remain the same. In this work, we explore software part of green computing in computing paradigms in Zomaya, SeDaSC: secure data sharing in clouds, IEEE Syst. In all cases, a cloud computing solution will only be considered after a thorough risk evaluation has been completed, reviewed and accepted by the Ministry’s Chief Information Security Officer or delegate. The colocation of various orga-. 63 (1) (2014) 17–30, http://dx.doi.org/10.1016/j.future.2014.09.009, M.R. The guidelines also focus on leakage of customers data due to a virtual, network and the use of same underlying infrastructure. Lin, W.G. The session key is calculated through Bilinear Deffie-Hellman both, by the user and the cloud. The erasure correcting code and, homomorphic tokens are used for the aforesaid purpose. 91–96. Nguyen, M.G. All the requests, initially received by the network access server, are forwarded to the diameter server. He et al. Moreover, it also highlights the scalability of the presented work. Service Manage. Moreover, the VM images are mostly used by various and unrelated users. The prototype was imple-, ing the hypervisor and running VMs. The contributions of this survey with respect, to the aforesaid surveys are presented in, The remainder of the paper is organized as follows. Moreover, future efforts to integrate. 425–428. References 7. 273–279. The CSA recommends the following major measures. 1971 0 obj <>stream Furthermore, the rollback can revert the VM to previous security policies and, The key module of virtualization is hypervisor or VMM. The proposed partitions, are public, private, and limited access partitions. This is emphasized by the fact that virtual machines are abruptly migrated between physical hosts, in the same or even in different data centers under different security policies. The, prime status of the VMM also makes it a key target for attacks. nizations data and applications adds more to the severity. The OPS probes the VMS for software vulnerabilities by using reputable security, practices. Despite of intensive research efforts by the research community, there still are open issues that need to be addressed for, providing a secure cloud environment. However, multi tenancy also poses threats to the cloud computing system. ing a comprehensive security solution in cloud computing. Security and protection mechanisms over the physical network are not able to monitor the traffic over virtualized. The taxonomy of the secu-, rity challenges in the cloud computing is depicted in, The cloud services are normally available to the customers through the Internet, mechanisms are used for communication between the customers and the cloud, in transmission of either data/information or applications between the customer and the cloud. locations. kle tree. The proposed SDD-RT-BF model involves three major stages namely, authorized deduplication, proof of ownership and role key update. A detailed simulation experiments takes place for demonstrating the security and effectiveness of the presented model. The proposed scheme in, the untrusted components. One of the important characteristics, of cloud applications is that they are not bonded with specific users, possibly at the same time. This operational dependency of the service models on each other brings in the security dependency also. In short, any compromised service model gives access to other layer of the service model. The next level, will check for the next attribute and the process continues till the firewall reaches the specified security policy for the given, attributes. At first, the security context manager module migrates the static security context state, followed by the, migration of VM state information by the VM state migrator module. Services Comput. The proposed framework was implemented on Xen hypervisor. The major security issues in the MCC are: (a) mobile application security, (b) user privacy, (c), Decentralized access control for cloud storage, SecAgreement, security risk calculation at cloud, A framework for reacting to change in security, SPECS, SLA-based approach to security as a service, A solution for embedding security controls in cloud SLA, . Most of the proposed solution typically follow a similar architecture based on a preconfigured, static and closed circle of trust, in which interactions are only possible with pre-configured entities. In this study, these models are integrated with the cloud computing domain, and we report on the security considerations of all the selected models. Each channel is assigned a unique logical ID that is used to monitor the source of packets originating from. The encryption and decryption is performed for every disk I/O by a VM. Hoang, C. Lee, D. Niyato, P. Wang, A survey of mobile cloud computing: architecture, applications, and approaches, Wireless, X. In this paper, we intend to tackle this problem, specifically for intrusion detec-tion/prevention and VPN/IPsec as main security mechanisms. Moreover, in case of afore-, said mismatch it encrypts the contents of the page table. The data and index are sent to the cloud, where they are stored depending on the SR value. Computing applications and data are growing so rapidly that increasingly larger servers and data centre are needed for fast processing within the required time. All characteristics of the entities should have an identified trust level. For example, vulnerabilities in the Xen, Microsoft Virtual PC, and Micro-, soft Virtual Server can be abused by attackers to gain privileged rights, of the already instantiated VMs are in idle state. The authors in, structure. The optimal key generation is accomplished by deriving a multi-objective function that involves the parameters, such as the degree of modification, hiding ratio, and information preservation ratio. 7. The alert is pushed into, alert interpreter that analyzes the generated alert and invokes the rules generator. The Address Independent Seed, tree are used for encryption and integrity checking, respectively. The HyperCo_er involves both the hardware and software to protect VMs in execution. On the other hand, if the user needs to utilize both the cloud's computational power and cloud's storage, then it is more hard due to the protection of data, and it might be prepared well-suited with the outsourced computations on masked data on cloud premises. Web application and application programming interface (API) security, one of the essential requirements for a cloud application to be utilized and managed over the Web, provided by the CSP is always located at the cloud with users accessing it ubiquitously. Based on the, proposed a method react to the SLA violations (pertaining to the security) or, built a compliance vocabulary and used ontologies to automate the process of negotiation and selection of better, . and reporting. Jaatun, Beyond lightning: a survey on security challenges in cloud computing, Comput. The absence of impeccable isolation between virtual machines necessitates the development of specific methodologies, capable of delineations that can prove to be equivalent of physical isolation. The analysis shows that the model can complete the isolation of vTPM, and protect the security of vTPM during the migration process through the migration control server, and can strengthen the security of the virtualization platform. The user does not know the location of the assets due to location transparency offered by the cloud, and therefore, cannot exactly know his/her legal rights and responsibilities. The key management should be performed by either the organizations/users themselves or by a trusted cryptographic. Vasilakos, A survey on service-oriented network virtualization toward convergence of networking and cloud computing, IEEE, D. AB. MAC addresses only in the presented technique. The vocabulary is populated with the set of SLA security terms and the associated security, controls that fulfill the corresponding security requirements. After the specification of, KSD, the CloudSec maps the physical memory bytes (obtained through hypervisor) to the KSD that generates the operating, system (OS) view of the live VM. To create a sustainable basis in terms of security in Cloud Computing, in September 2010 the German Federal Officefor Information Secu-rity However, security and privacy issues pose as the key roadblock to its rapid adoption. Subsequently, the counter measures presented in the literature are presented. Clouds provide a powerful computing platform that enables individuals and organizations to perform variety levels of tasks such as: use of online storage space, adoption of business applications,development of customized computer software, and An important factor is the key strength, information, including data secured in cloud servers, are examined in that part. The proposed scheme allows the user to rate the requirement of confidentiality, availability. Anala, J. Shetty, G. Shobha, A framework for secure live migration of virtual machines, in: IEEE International Conference on Advances in. Dimensions, Design Issues, and State-of-the-Art, arXiv preprint arXiv:1312.6170, 2013. The, thin client interface can be used to access the applications such as web browser. However, there are a variety of information security risks that need to be carefully considered. This concept utilizes the recent technology of mobile cloud computing for. The security measures taken by the cloud service providers (CSP) are generally transparent to the, . The cloud verifies the signature that is attribute based and stores, the data in case of valid user. control over the underlying cloud infrastructure but only on the applications that are moved to the cloud. Control Markupup Language (XACML) messages, and XML wrapping attacks. The scheme also makes use of a trusted third party that issues tokens to the users. Annual ACM Workshop on Privacy in the Electronic Society, 2011, pp. The credential generation can be offloaded to a trusted third party due, to low processing power of the mobile device, Due to low processing power of mobile devices, computation intensive encryption algorithms with large keys are not, trusted third party for securing the user data, The discussion on the security issues presented in the preceding sections elaborates that the cloud not only retains the, orthodox security concerns but also entails the novel issues arising due to the use of new technologies and practices. Similar recommendations are made by the CSA to deal with the, A ubiquitous access to the cloud computing allows the mobile devices to connect and use the traditional cloud computing, services. endstream endobj 1952 0 obj <. A separate VM is instantiated for each user that virtually provides a complete operating machine to the, ronment. The working of FADE is depict-. Therefore, a broad framework that, ensures privacy while performing computations is the need for security. An API can be thought of a user guide that describes the details about the CSPs, . Tabulated analysis will, greatly help the readers to compare and analyze the pros and cons of the research endeavors. The algorithm is capable of negotiating cloud federations to lower the risk. The security issues in the cloud computing paradigm are detailed in Section, in the contemporary literature are presented in Section, 2. The EVDIC uses, advanced encryption standard (AES) with a key size of 256 bits. The system parameter includes the parameters to gener-, ate the groups. Even the compromised hypervisor will not let the attacker take full control of, the system. 83–90. Some of these challenges include security, privacy and trust, bandwidth and data transfer, data management and synchronization, energy, Green computing denotes energy efficiency in all components of computing systems i.e. The TAL is computed using the credentials, and additionally the Trust Token credential that is proposed by the authors. The proposed strategy relies on the hardware capabilities to ensure isolation between VMs. The key scope should be maintained at the individual or group level. The cloud after receiving decrypts the data, verifies the signature and stores at the designated, partitions in the cloud. Section, computing. On the other hand, a malicious user can upload an image that contains a malware. cess. However, the risks are discussed from the perspective of different stack holders, like customers, government, and service providers. The indirections are avoided because of the dedicated cores and the, hardware for the guest VM. A CloudVisor is a light weight security module that works beneath VMM using nested virtualization. ... Fernandes D. et al. A VMM is a software component that manages all the VMs and their access to the hardware. The SecCloud uses encryption for achieving the storage, security. Hale, R. Gamble, Building a compliance vocabulary to embed security controls in cloud SLAs, in: IEEE Ninth World Congress on Services. Similarly, private cloud, may or may not be located at organization’s geographical site. Customers use resources provided by the cloud and pay according to the use. Moreover, the pricing of the service usage is also totally dependent, More focus is required to ensure the privacy during computations. Critical Areas in Cloud Computing V.3” and “Security as a Service Implementation Guidance”. The traditional security software like antivirus and IDS are not possible to run continuously on the mobile, concept of offloading computation can also be used to run heavy security programs on the cloud that provide malicious code, and intrusion detection on the mobile device, The mobile device can be the source of user location leakage especially due to location based services, said is the serious privacy issue and leads to even worse situation if a foe knows the user whereabouts, location cloaking can be used to preserve user location privacy by concealing the user exact geographic position, Authentication is another issue on resource constrained mobile devices. 5 Cloud Computing Benefits, risks and recommendations for information security There are three categories of cloud computing: -Software as a service (SaaS): is software offered by a third party provider, available on demand, usually via the Internet configurable remotely. The use of standard algorithms is recommended and proprietary encryption algorithms are discouraged. Data mining uses different tools to know the unknown, valid patterns and relationships in the dataset. Khan, M.L.M. The services should have import/export function into standards such as XACML and OASIS. There is a need to select the best Requirement Engineering model, and integrate it with cloud computing, that can give the best response to the users and software developers and avoid mistakes in the requirement engineering phase. This concern originates from the fact that sensitive data stored in the public clouds is managed by commercial service providers who might not be totally trustworthy. To interact with various services in the cloud and to store the data generated/processed by those services, several security capabilities are required. Chapter 8 Cloud Computing 551 8.1 Cloud Computing Concepts 551 Service Models 552 Deployment Models 552 8.2 Moving to the Cloud 553 Risk Analysis 553 Cloud Provider Assessment 554 Switching Cloud Providers 556 Cloud as a Security Control 557 8.3 Cloud Security Tools and Techniques 560 Data Protection in the Cloud 561 Cloud Application Security 566 The proposed architecture provides. Significant research and development efforts in both industry and academia aim to improve the cloud's security and privacy. on Security of Info and Networks, 2013, pp. The process reduces the time consumption of each VM for proper functioning after. on Services Computing (SCC), 2013, pp. This chapter gives an overview on the cloud computing concept followed by a description on mobile cloud computing and the different security issues pertinent to the mobile cloud computing environment. The first and the foremost need is to develop a comprehensive and integrated security, solution that encompasses most of the major security requirements in the cloud environment. All the, programs can be run entirely exterior to the OS. describes the security issues in cloud computing and associated security solutions. %PDF-1.5 %���� PDF | On Aug 1, 2014, E.Kesavulu Reddy published Information Security in Cloud Computing | Find, read and cite all the research you need on ResearchGate A. The compromised hypervisor may grant all the privileges to the successful attacker putting all other, resources into danger zone. The purpose of this policy is to provide an overview of cloud computing and the security and privacy challenges involved. The computational results are verified by the verifying agency by rebuilding the Mer-. Initially, a convergent encryption approach is applied for preventing the leakage of data and employed role re-encryption process for attaining authorized deduplication resourcefully. Cloud security concerns – While adoption of cloud computing continues to surge, security concerns are showing no signs of abating. Syst. This scan is only, allowed at the boot up time with a temporary hypervisor so as to avoid any attack from user, After the scan the temporary hypervisor is disabled. 390–399. upsurges the capabilities of the hardware resources by optimal and shared utilization. Security issues from the technological and operational point of view were not in the, scope of the aforesaid study. The migration of user’s assets (data, applications etc.) The security risks in cloud may differ from the risks of conventional IT infrastructure either in nature or, . The same can be, observed from other presented domains. hardware, software, The Guestvisor runs in non-root mode excluding it from trusted computing base. 1–6. 3.1.1. The proposed scheme called HyperLock provides an isolated address space than the host OS. For example in, ed technique follows Software-Defined Network (SDN) methodology for isolating virtual network. However, the services provided by third-party cloud service providers entail additional security threats. However, unlike the normal computing machines, the mobile devices are resource constrained, of low processing power, less storage capacity, limited energy, and capricious internet connectivity does not allow compute, and storage mandating applications to run on mobile devices, new computing paradigm called MCC that enhances the abilities of mobile devices by moving the storage and compute, processes by using the computation and storage services of the cloud. ments. The user sets the password during registration process. Cloud Comput. Comparison of presented strategies for secure hypervisor. cloud, (c) community cloud, and (d) hybrid cloud. Moreover, the study in, defense strategies for the existing vulnerabilities. 4.2.3. In bridge mode the Xen attaches the VM directly to the, virtual Ethernet bridge. of code in the SVM. The discussion of, the presented technique has led ways to highlight some open issues to motivate the research community and academia to, This research was in part supported by a grant from the National Science Foundation, CNS. The migration of VMs, data, and applications across multiple physical nodes, . (2014), [73] S.H. We present a thorough overview of mobile cloud computing and differentiate it from traditional cloud computing. The author discusses related challenges, opportunities, and solutions. In each category, before, that aim at providing greater security to the cloud, where network probing is detected by using IP tables and, provides virtual network security through, proposed a virtual network model that safeguards the virtual networks against sniffing and spoofing, by implementing a novel tree-rule firewall. The CSP is dealt as a host, while the services owner acts as an authorizing user. 13 (2) (2014). In case of memory and storage resources, a malicious user can employ data recovery techniques to, times. The SPICE extends the Waters signature, group signature authenticates the user by ensuring that the signature is from a valid user of the group with the need of the, identity. Comparison of techniques dealing with VM security during execution. Summary 6. To prevent the attacks on network, infrastructure, the ACPS utilizes the method presented in, warnings are recorded in the warning pool. For other frameworks, there is no specified model to manage trust between cloud service providers and identity providers, as cloud service providers must decide by themselves which identity providers are trustworthy. The cloud computing exhibits, remarkable potential to provide cost effective, easy to manage, elastic, and powerful resources on the fly, over the Internet. The data along with the verifiable signatures is, sent to the cloud by encrypting with the session key. The management of the resources is accomplished either by the extended hardware capabilities or by the, tiny system management software. The mobile devices can now execute heavy compute and storage intensive, . Moreover, virtual network isolation is introduced by utilizing layer-two tunnel, Virtual Private Network (VPN) between virtual bridges. A compromised hypervisor can, Therefore, the security of the hypervisor needs distinctive focus. each element being an attribute or set of attributes. issues is highly desirable. A.N. Comput. presented SecCloud, a storage security protocol that not only secures the user data uploaded into the, used a combination of established and specialized procedures besides additional proposed, utilized the concept of proxy re-encryption in addition to, . Moreover, certain orthodox issues become, even more sensitive and critical when dealt in the cloud environment. [119] Y. Xia, Y. Liu, H. Chen, B. Zang, Defending against VM rollback attack, in: IEEE/IFIP 42nd International Conference on Dependable Systems and. There are many models for the requirement engineering phase. Rosado, E. Fernndez-Medina, E.B. A Trust Assurance Level, (TAL) is introduced that specifies the trust level of the cloud platform. The cloud computing model does not deliver users with full control over data. attack by secure logging and auditing of VM operations (suspend, resume, migration). The VM at the time of registration is checked for software and record is kept that is matched against, installed and available packages. 4. 51 (1) (2011) 176–189, P. Mell, T. Grance, The NIST definition of cloud computing (draft), NIST Special Publ. age, elastic, and powerful resources on the fly, over the Internet. management and role based access control. erature that aim at securing the hypervisor. A VM migration is only allowed if the TAL of the hosting platform, is in the range of user specified requirement. The restrictions are specific to the situations where data is to be shared among the group and/or requires forwarding. 246–257. Syst. 59–66. Kiah, S.A. Madani, M. Ali, S. Shamshirband, Incremental proxy re-encryption scheme for mobile cloud computing environment, J. A.N. Appl. This is usually done through Web, The services and the customer’s applications and data present on the cloud must be accessible to the customers using the, standard mechanisms and protocols. The portions that require host OS for functionalities, were replaced by the user-mode equivalents. However, if the attack activity is confirmed then the action is taken. The hash value at each state is subse-, quently used for later activation of the snapshot. Due to the fact that it is hard to distinguish between a legal vulnerability scan of network and, attacker activity, usually such scans are not allowed by the service providers. In the proposed cloud, special collaboration methods are offered as services to reduce the time and cost of development hence they become plug and play components to be used when needed. Attribute Set Based, allows users to enforce dynamic constraints on how those attributes mutually fulfills access control policy. Mobile, Q. Duan, Y. Yan, A.V. At the end of the device life cycle, it may not be possible to destroy it as it is, needed at the CSP side to ensure the availability and recovery of data in case of intentional and accidental disasters. Subsequently, a unique identifier is assigned, to each of the VMs. 39 (1) (2013) 47–54. The user gets the storage space from the CSP to store data. The TPM credentials measure the trust level of. For the classification of the security aspects that affect the performance of these model, a framework is proposed, and we check the results regarding selected security parameters and RE models. access key structure. The data in the cloud is much more vulnerable to risks in, terms of confidentiality, integrity, and availability in comparison to the conventional computing model, increasing number of users and applications leads to enhanced security risks. Inform. 1 (1) (2012) 1–18, located VMs, IEEE Trans. ’’ denote whether the domain specified in the column has, provides the architectural framework of the cloud, highlights the security concerns in the mobile cloud com-, discusses the techniques and open issues and Section, . Analyzing and modelling temporal social networks from data of social population interactions. the group. The results of the update checker and OPS are generated in the form of report to inform both the user of VM and, the system administrator. The data is transmitted between VMs in peer-to-peer (P2P) manner, without transiting through the central server. secure the data in the cloud. The Xen hypervisor is used to demonstrate the proposed model. Moreover, the proposed sanitization process depends on the optimal key generation, which is performed by the hybrid meta-heuristic algorithm. The characteristic further demands that the availability of services should support, heterogeneous thin or thick environment (for example, mobile phones, laptops, workstations, tablets). The SECaaS works at all levels (SaaS, PaaS, IaaS) and secures the services. Traditional ways of managing information technology (IT) service providers are no longer applicable as companies use more and more services provi-sioned in the cloud. Our final cloud management framework comprises ten processes for effective CSP management based on a literature study and twelve expert interviews. Sah, S. Shakya, H. Dhungana, A security management for cloud based applications and services with diameter-AAA, in: IEEE International. For example, if a CSP sub-contracts any service to a third party then in case of a problem it becomes hard to claim, at CSP. A security and privacy framework for RFID in cloud computing was proposed for RFID technology integrated to the cloud computing , which will combine the cloud computing with the Internet of Things. R. Latif, H. Abbas, S. Assar, Q. Ali, Cloud computing risk assessment: a systematic literature review, in: Future Information Technology, Springer. 35. The ImageElves works both on the running and dormant VM images. The malicious user with super-user access to the real network components may launch attacks, such as. A malicious user can investigate the code of the image, VMs running on the same physical hardware need to be isolated from each other. Security solutions for cloud applications and APIs, The cloud applications and APIs on the SaaS and PaaS layers require special security attention to have secure development, and execution life cycle. The ImageElves groups the similar VMs into classes and applies updates to those classes. 16 (1) (2012) 69–73, C. Rong, S.T. The Hyper-, utilized the principle of least privilege to reduce the attack surface of hyper-, adopted a similar approach to reduce the attack surface by providing an isolated runtime environ-, also reduce the trusted computing base and restrict the functionality of hypervisor in root mode for secur-, presented a design that does not reduce the hypervisor attack surface. Waters, Efficient identity-based encryption without random oracles, in: Advances in Cryptology EUROCRYPT, Springer, Berlin, Heidelberg, 2005, pp. The SVM, executes the kernel that is similar to the kernel of GVM. Cloud Security Alliance Identified Threat Domains in Cloud Computing Common Risks and Threats Cloud Security Alliance (CSA) has identified seven domains of security threat (Cloud The HyperLock also removes the Quick EMUlator (QEMU, a user, program of KVM hypervisor) from the trusted computing base greatly reducing the attack surface. The malicious, code can be in the form of Trojan horse, virus, and worm and can cause the compromise of mobile application running at the, mobile device. The proposed technique also lets the user to audit the TAL of the platform after VM migration to assure that his requirements, The trusted computing technology has also been used by authors in, authors not only ensure the integrity of the destination platform but also secure the migrating contents on the communi-, cation channel. Moreover, the listed-rule firewalls decrease performance due to sequential rule searching, and arrangement of bigger rules after the smaller rules. The users are allowed to upload and download images from the repository, . Privacy 11 (1), K. Sankar, S. Kannan, P. Jennifer, On-demand security architecture for cloud computing, Middle-East J. Sci. The vTPM, is also migrated along with the VM to ensure the integrity of the VM during the migration process. Fernandez, An analysis of security issues for cloud computing, B. Hay, K. Nance, M. Bishop, Storm clouds rising: security challenges for IaaS cloud computing, in: 44th Hawaii International Conference on System, T.D. Zeng, Security-aware intermediate data placement strategy in scientific cloud workflows, Knowl. The metadata of the VMs, kept by the VMM, may also be, . Comparison of strategies proposed for security of cloud applications and APIs. The proposed technique rests on the foundations of trusted computing. For example, data security becomes more critical, and difficult to deal with because of the absence of administrative control of the data owner. The community cloud is shared by a number of organizations and/or customers forming a community. Moreover, there exists com-, munication within cloud between VMs. The exterior redirects and updates the memory state at VMM from, SVM to GVM. The control transitions are monitored and secured by the software portion called VM-shim that works between the hyper-, visor and VMs. The proposed framework can manage the identity man-, agement and access control across multiple CSPs where the AMs coordinate with each other to provide identity management, and access control services. [84] T. Ristenpart, E. Tromer, H. Shacham, S. Savage, Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds, in: Proceedings of the 16th ACM Conference on Computer and Communications Security, 2009, pp. N. Fernando, S.W. The user generates an authentication, certificate from the obtained credentials. This is achieved by utilizing a set of assessment criteria. The above mentioned features encourage the organizations and individual users to shift. In case of successful update, other VMs of that particular class. Afterwards, the source, and destination hosts established a tunnel trusted channel by mutual authentication and establishment of a session key. The collector module downloads the images from the image repository and scans the images in the, repository to detect the outdated software and the presence of any malware. The suspicious traffic is collected by the component called snortFlow demon. The File Assured Deletion (FADE) protocol that furnishes key management along with the data privacy and integrity is, symmetric keys are protected by using Shamirs (, group of key managers (KM) that act as a trusted third party. Cloud Computing Security Wikipedia [3] defines Cloud Computing Security as “Cloud computing security (sometimes referred to simply as "cloud security") is an evolving sub-domain of computer security, network security, and, more broadly, information security. performance due to Cyberguarder and 5% increase in the energy consumption. Some of the technologies in cloud computing do not affect, particular service model. Moreover. The proposed scheme handles both live and dormant virtual, machines. Ogundele, Elliptic curve cryptography for securing cloud computing applications, Int. Risks will vary depending on the sensitivity of the data to be stored or processed, and how the chosen cloud vendor (also referred to 0 Liu et al. 29 (5) (2013) 1254–1264. The E-discovery refers to an issue that arises when, . In this paper, we (1) identify cloud-specific challenges in managing CSPs, (2) develop a corresponding process framework for CSP management, and (3) discuss and extend this framework. In the follow-, presented a VM migration technique that allows VM migration only if the destination platform is secure, for secure intra-cloud migration of VMs. 401–412. The DCPortalsNg interacts, with the open stack through a neutron plugin and obtains all of the required virtual network information. Therefore, organizations are looking for new ways to manage their relationship with cloud providers. Shared pool of resources creates a need of a trustworthy access control system that can avoid the unauthorized access to, the resources. The specific issue scenario results in development of multiple solutions catering various security needs. The aforesaid technologies generate. Intensive experiments were conducted on a prototype of this trust model to prove its effectiveness in a cloud computing environment. Cloud Comput. Based on this analysis, this study derives a detailed specification of the cloud live virtual machine migration integrity problem and key features that should be covered by the proposed framework. Therefore, a compromised hypervisor will only affect the, paired VM keeping the other VMs on the host secure. 86 (09) (2013) 2263–2268, M. Sadiku, S. Musa, O. Momoh, Cloud computing: opportunities and challenges, IEEE Potentials 33 (1) (2014) 34–36, E. Schweitzer, Reconciliation of the cloud computing model with US federal electronic health record regulations, J. Besides privacy, and integrity, the HyperCoffer also provides security against VM rollback by using logging and auditing. Property based remote, attestation is used to verify the integrity and security conditions of the remote host before migration. environment, J. Supercomput. 3 (1) (2011). The HyperCheck was implemented both, for open and closed source BIOS. The homomorphic token are pre-computed by the user and data, is fragmented and stored redundantly across the cloud servers. Some parts of this approach such We also propose a set of trust features for federated identity management systems, which serves as a basis for modelling and quantifying the trust level of unknown entities. Customers outsource their applications and data to the cloud with the trust that their assets are secure within. The defined requirements should also be in the. The cloud security alliance, must be provided without any assumption about the external environment. However, providing adequate interoperability and security support by those complex distributed systems is of primary importance for the wide adoption of cloud computing by the end users. Eng. The VM migration is carried out for a number of reasons, such as load balancing, fault tolerance, and, . 6 2: Cloud Security Simplified 14 3: Questions of Confidentiality 20 4: Ensuring Integrity 26 5: The Risk of Service Disruption 32 6: Putting It All Together 36 7: Data is King 40 8: The Cloud-Friendly Security Team 44 9: The Cloud Security Checklist 48 10: The Final Word on Cloud Security 54 4. . In case of any malicious, activities, human operators are notified. However, it does not focus on the data integrity. Syst. [130] F. Zhang, J. Wang, K. Sun, A. Stavrou, HyperCheck: a hardware-assisted integrity monitor, IEEE Trans. Security and Cloud Computing Security remains the number one obstacle to adoption of cloud computing for businesses and federal agencies. Chow, Y. J. Li, B. Li, T. Wo, C. Hu, J. Huai, L. Liu, K.P. Multi-tenancy is the property that enables the use of a single resource by multiple customers that may or may not, . Comput. The integrity of the application is checked at the destination, ommends the security services provided by different clouds and an in dependent cloud (manager cloud) that keeps track, of these services. The proposed methodology conducts the verifica-, tion of the cloud data correctness without explicit knowledge of the whole data. Likewise, from the cloud service model view point, the service models are dependent. The cloud’s physical infrastructure is owned by the CSP and is open to general public and organizations. cloud specific security threats that need to be understood and dealt keeping in view novel characteristics of cloud. The secure software development life cycle and software architecture should be developed and maintained. VM images at rest should be patched with the latest fixes as soon as required. For network isolation, the concept of packet rewriting is used that opens the original packet and extracts, source and destination addresses from the packet. The advantage of the scheme is that the user can keep the VMS up-to-date and administrators can, have a check that outdated software does not run on their system. The proposed framework, called Kororā, is designed and developed on a public infrastructure-as-a-service cloud-computing environment. Some of these challenges include the UAVs' energy levels, high mobility, and current locations. The economical, scalable, expedient, ubiquitous, and on-demand access to shared resources are some of the character-, . The SaaS only provides software through Internet making it a model to distribute the soft-, ware through Web. W. Liu, S. Peng, W. Du, W. Wang, G.S. Pietro, F. Lombardi, M. Signorini, CloRExPa: cloud resilience via execution path analysis, Future Gener. Eng. Moreover, an infected VM can be used to monitor the activities and data of other users resulting in privacy breach. The data key (, requests the KM to generate a key pair by sending, transmits public part to the user. Secure and efficient management of identities remains one of the greatest challenges Parallel Distrib. 800 (145) (2011) 7, http://dx.doi.org/10.1109/TC.2014.2317188. We divide the cloud communication into two categories, namely: (a) communica-, tion external to the cloud (between customers and cloud) and (b) communication internal to the cloud (communication, The external communication of cloud is similar as any other communication over the Internet. The FADE is a light weight protocol that uses both the symmetric and asymmetric encryption. �;�2��̍o:0��y�6^n``��:Ɉ�쁳�������a`φ��ؗ�̺�m�>�#�u? To reduce the computational redundancy, the verifier does not build the whole tree but uses probabilistic sampling. The DeHype greatly reduces the risk of system subversion as most, of the hypervisor code does not have privileges. Alese, A.O. A more integrated, solution will result in easy management of the security tool. The trusted authority, administers the domain level authorities that in turn manage subordinate domain authorities at the next level or the users, in domain. The user application is then registered with the security providing clouds that provide security services. Employee of SaaS providers, having access to information may also act as a potential risk, Besides the data at rest, the data being processed also comes across security risks, resources are shared among multiple tenants. Even the critical infrastructure, for example, power generation and distribution plants are being migrated to the cloud computing paradigm. The cloud services in addition to ground cloud computing services can be used together to enable the development and operations of collaborative UAVs. The trusted authority generates and distributes the system parameters and root master key to the domain autho-, rities. The proposed scheme secures the cloud storage against integrity attacks, Byzantine failures, and server colluding attacks. Finally, we discuss future research challenges that require further attention. networks are responsible for communication between VMs. However, rollback also raises security concerns, enable the security credentials that were previously disabled, responsibility of the VMM. The experimental results denoted that under the file size of 8 MB, the SDD-RT-BF model offers maximum deduplication rate of 25.40% whereas the SS, SSIMI and SDM models attains minimum deduplication rate of 24.60%, 23.60% and 22.30% respectively. Thus, our paper contributes to cloud sourcing research by deepening the understanding of client-provider relationships and by introducing a viable CSP management instrument contingent on three salient factors of cloud service provisioning. Khan, M.L.M. At the communication level, the physical network infrastructure retains more of the, conventional issues and solutions. 2, 2013, pp. Mag. However, data security is still a major concern and is the main obstacle preventing cloud computing from being more widely adopted. At one hand, the publishing of APIs helps the users to know the details, components and functions of the cloud. Comprehending the security threats and counter measures will help organizations to carry, out the cost benefit analysis and will urge them to shift to the cloud. 587–594. Comput. The hypervisor checks the integrity of the DomU state after every management function, executed by the Dom0. On the other hand, the cloud architecture to some extent is exposed to the attackers, credentials, insufficient authorization and input-data validation. SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, 2013, pp. However, the metadata is stored on the central node for optimized traffic, between the VMMs. The process of mapping, the organizational identities to the cloud and the time it takes to translate the changes of the identities into the cloud is, a crucial factor affecting the security in general and access control in particular. Additionally, the proposed scheme per-, forms error localization by detecting the misbehaving server. ESORICS, Springer, Berlin, Heidelberg, 2009, pp. duce certain risks in the system. L. FB Soares, D. AB Fernandes, J.V. Dinh, C. Lee, D. Niyato, P. Wang, A survey of mobile cloud computing: architecture, applications, and approaches, Wireless Commun. Sec. The scheme in, built an ontology that is used to provide automated selection and negotiation. The ABE was introduced in, messages using the attributes and decryption can be performed by users possessing those attributes. The, . The FADE works with a, . The idea of decoupling the security and VM management to protect the runtime environment of the VM is utilized in, CloudVisor provides privacy and integrity to the VM resources (CPU, memory, and I/O devices) during execution. International Symposium on High Performance Computer Architecture, 2013, pp. To mitigate the vulnerabilities in VMs by patching fixes, Schwarzkopf et al. The route mode creates a P2P link between, the VM and the domain 0 (the VM management domain). Broad network access, is sometimes referred to as ubiquitous network access in the literature, The cloud’s resources are shared among multiple customers by pooling in a multi-tenant environment. The filters are applied to the images both at publishing at retrieval time to detect and remove the unwanted information. The kernel data rootkit attacks and intrusions are detected by introspection. Inform. SPI (software, platform, and infrastructure). In particular, the authors discuss a scheme for secure third party publications of documents in a cloud. Security for the cloud premises is essential as the cloud has lot of outsourced, unprotected sensitive data for the public access. sniffing and spoofing over the real network. The ws-agreement mainly captures the agreement based on quality of service. Below we provide an overview. Along with . Publishing, retrieving, and modification of VM images require proper permissions. The trusted computing is used for attestation and integrity verification, of source and destination platforms. The best practices regarding the key management and encryption products from reliable sources should be used. The HyperCoffer trusts only the processor chip and considers everything else as, proposed CloudSec that monitors the VMs physical memory externally by using VM Introspection, , therefore, requires high security considerations. The requesting users’ identities are also managed by the AM. A user can create his/her own VM image or can use an, . solutions to produce the desired security level. Conventional network security systems, like Intrusion Detection System (IDS) are adaptively deployed into the virtual network for security of applications running on, the virtual network. Additionally, there is a need to encrypte the symmetric key asymmetrically with a Elliptic Curve-Diffie Hellman algorithm (EC-DH) with a double stage permutation which produces a scrambling form of data adding security to the data. All of the users whether individual or organization should be well aware of the security, threats existing in the cloud. 187–196. The difference in both techniques, however, is that ImageElves automatically updates the, VMs. dictions, monitoring of contract enforcement, etc. All figure content in this area was uploaded by Mazhar Ali, All content in this area was uploaded by Mazhar Ali on Nov 07, 2017, Security in cloud computing: Opportunities and challenges, COMSATS Institute of Information Technology, Abbottabad, Pakistan, The cloud computing exhibits, remarkable potential to provide cost effective, easy to man-. Check is a hardware assisted framework that uses the CPU system management mode (SMM) of x86 architecture for viewing, the CPU and memory state of the machine. The, transfer of VM and vTPM is carried on the established trusted channel. de-privileged DeHype. This survey details the security issues that arise due to the, very nature of cloud computing. Z. Xiao, Y. Xiao, Security and privacy in cloud computing, IEEE Commun. With, regards to traffic on virtual network, the privacy and monitoring become contradicting requirements. mapping. The VM migration, poses different security issues as discussed in Section, ing we present techniques presented in the literature that handle VM migration. The SLA also indicates (a) mini-, mum performance level that CSP has to provide, (b) counteractive actions, and (c) consequences in case of breach of the, the requirement should be thoroughly agreed upon in the SLA. The solutions to these challenges are also the same as employed conventionally, such as, Secure Socket Layer, . La sécurité est certainement l'un des enjeux majeurs du cloud computing et prend une place centrale dans toutes discussions concernant ce paradigme [2,6. Comput. The customers pay the cloud owner according to the services and resources they use. The process can also be applied at the time of VM launch to guarantee the. Some of the available directions for future work are also discussed. Comput. Lui, R. Perlman, Secure overlay cloud storage with access control and assured deletion, IEEE Trans. The algorithm updates the risk, evaluation according to the changes in the SLA. The authors integrated the EVDIC with OpenStack to reveal the successful interoperation. The traffic rates can be monitored for malicious purposes. 41–51, Workshop on Cloud Computing Security, 2009, pp. Lee, J.C.S. 243–248. updates and roll backing in case of errors. Similarly, the strategies to relieve the security issues are discussed in terms of ‘‘what’’ compo-, nents and processes should be secured and evaluated. 1) The sensitivity of the information to be stored and/or processed in the cloud; and 2) The potential impact of an event that results in the loss of confidentiality, integrity or availability of that information • Cloud Security Model (CSM) defined 6 Information Impact Levels • Cloud Computing SRG defines 4 Information Impact Levels Secondly, fire-, wall layer does not allow the packets to update the routing table. The security for migration is provided by, used multiple basic theories to propose a framework for secure live migration of VMs and to provide, also used role based access control policies to ensure security against VM, proposed a framework that migrate not only the VM but the security context is also migrated to the, presents the summarized properties of the discussed schemes dealing, presented a framework named HyperCheck to ensure a secure execution of the hypervisor. However, the process of updating VMs is a manual pro-. In the Mobile Cloud, Mobile cloud computing promises several benefits such as extra battery life and storage, scalability, and reliability. A, VMM may affect the execution of VMs running on the host system, are managed by the victim VMM under attacker’s control, exposed to an attacker if the attacker takes control of a VMM, entry points and interconnection complexities, control of the VMM or bypass security restrictions. security parameters for the SLA. cloud specific characteristics and technologies. and ensure optimal fulfillment of customer’s security needs. The encryption of data before outsourcing to the cloud ensures the privacy of the data but poses certain restriction. Therefore, domain of cryptography also enhances the potential risks to the, Due to resource pooling and elasticity characteristics, the cloud ensures dynamic and on-, were able to recover Amazon machine images files 98, The issue is related to the destruction of physical storage media due to a number of rea-, . The OPS-offline is. Cloud Computing pdf free download – CC Notes Pdf. A VM monitor (VMM) or hypervisor is the module that manages the VMs and permits various operating systems, to run simultaneously on the same physical system, can evolve as a serious threat if it is used in malicious manner, to look for probable attack point. Version 3.0 includes the following updates: New worldwide privacy regulations taken into account. Virtual network is a logical network built over a physical network. To overcome this challenge, this paper tempts to develop the privacy preservation model in the cloud environment using the advancements of artificial intelligent techniques. Key to the successful adoption and transition of information systems to cloud is the implementation of a strategic proactive information security management and governance The Mirage provides a four-, , the authors proposed encrypted virtual disk images in cloud (EVDIC) that exploits encryption to secure the VM, targeted at providing updated software installs, and patches for the, to identify and rectify images with outdated software and, presents the comparative summary of the presented schemes, proposed an architecture that provides a secure runtime virtualization environment to a VM. If the CSP does not sanitize the devices properly, the data can be exposed to risks, The data backup is also an important issue that needs to be dealt carefully. The reason being the private cloud is meant for the use of a single organization. The risk models and attack models should be continuously built and maintained. The ABE in TimePRE uses eligible time periods for a user, along with other attributes to identify a user. Therefore, the Dom0 has only encrypted view of, confidential memory regions. Appl. Cloud computing is predicted to expand in the mobile environment leveraging on the rapid advances in wireless access technologies. A similar mechanism of logging and auditing to protect against the VM roll-, integrity of the snapshots. The download is allowed based on user authentication that is carried out, cooperatively by data owner and the cloud. The rising volume of sensitive and personal data being harvested by data controllers has increased the security essentials in the cloud system. United Kingdom, Tech. and OpenECP that are open source cloud systems. The resources are, shared among all the customers. Moreover, the protection mechanism. This paper introduces a management framework that targets modularity and comprehensiveness. The sharing of network components provides attacker the window of cross-tenant, . The evaluation of SnortFlow exhibited good performance in terms of traffic analysis. 29 (10) (2014) 16–24, Service clouds: towards performance modeling, Future Gener. cloud development and deployment. Moreover, the users and the CSP must have mutual understanding about the roles, and responsibilities of each other. Instead more than one models become affected, such, and PaaS. The authors in. in utilization and energy consumption in a static setting as workloads run with lower frequencies and energy The proposed framework provides the same level of privacy, and integrity at the destination as that of source host. Although virtual devices have been, proposed to secure the virtual network, a comprehensive strategy to monitor the traffic on the virtual network is needed to, avoid malicious flow of information. The rollback, . The user revocation is dealt by changing the encryption parameters of all such data that has. Table provides salient security features provided by the scheme and the technique used to provide the security measures. To protect the cloud applications from unauthorized access, the authors in, protocol. It checks for the updates of the installed software and identifies the VMs (both dormant and, running) that need to be updated. Conference on Distributed Computing Systems (ICDCS), 2013, pp. On the other hand, organizations do not enjoy administrative control of cloud services and, organizations. The highlights of presented techniques are tabulated in, 4.2.5. The filters remove any leftover private, information, malware, and pirated software from the image. However, the future discussion has not been dis-, reviewed the security and privacy challenges in the cloud computing and discussed the, elaborated the security issues in the cloud along with the approach-, detailed the security issues in the cloud computing in depth with brief discussion on, surveyed the popular security models of cloud computing, such as. ments. Trans. Generating and managing virtual resources, is yet another function performed by the VMM. However, resource scarcity in the mobile devices does not permit the adoption of security, solutions proposed for the regular cloud.
2020 information security in cloud computing pdf