ABSTRACT:
Cloud computing has taken the IT world by storm, quickly making its way up the list of technology buzz words. It is clearly one of today’s most enticing technology areas due, at least in part, to its cost-efficiency and flexibility.Cloud computing is essentially the management and provision of applications, information and data as a service. These services are provided over the internet, often on a consumption-based model.However, despite the surge in activity and interest, there are significant, persistent concerns about cloud computing that are impeding momentum and will eventually compromise the vision of cloud computing as a new IT procurement model.
In this paper, we characterize the security issues and their impact on adoption. In particular, we argue that with continued research advances in trusted computing and computation-supporting encryption, life in the cloud can be advantageous from a business intelligence standpoint over the isolated alternative that is more common today.
ACRONYMS:
PaaS. Platform-as-a-service products offer a full or partial development environment that users can access and utilize online, even in collaboration with others.
IaaS. Infrastructure-as-a-service products deliver a full computer infrastructure via the Internet.
DaaS. Desktop-as-a-service which utilize virtualization of desktop systems serving thin clients.
INTRODUCTION:
Cloud computing provides a convenient way of accessing computing services, independent of the hardware you use or your physical location. It relieves the need to store information on your PC, mobile device or gadget with the assumption that the information can be quickly and easily accessed via the net. Cloud computing also negates the need to download or install dedicated software on your own computer, freeing up onboard memory and reducing energy costs.
We are probably already using cloud computing services without realizing it. Google is one of the most prominent companies offering software as a free online service to billions of users across the world. The internet giant hosts a set of online productivity tools and applications in the cloud such as email, word processing, calendars, photo sharing, and website creation tools.
More so than other types of hosted environments, when it comes to the cloud, companies worry about the “S” word: Security.
CLOUD COMPUTING:
As a metaphor for the Internet, "the cloud" is a familiar cliché, but when combined with "computing," the meaning gets bigger and fuzzier. Some analysts and vendors define cloud computing narrowly as an updated version of utility computing: basically virtual servers available over the Internet. Others go very broad, arguing anything you consume outside the firewall is "in the cloud," including conventional outsourcing.
DEFINITION:
A technical definition is "a computing capability that provides an abstraction between the computing resource and its underlying technical architecture (e.g., servers, storage, networks), enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
CLOUD COMPUTING-INFRASTRUCTURE:
What Makes Up a Cloud?
The principles of cloud computing includes:
- Virtualization and automation
- Interchangeable (fungible) resources such as servers, storage and network
- Management of these resources as a single fabric
- Elastic capacity (scale up or down) to respond to business demands
- Applications (and the tools to develop them) that can truly scale out
- Focused on the service delivered to the business
Shared, virtualized Infrastructure: At the heart of cloud computing is one of its key technological enablers, virtualization. Virtualization provides a path to share pools of IT resources such as servers, storage, data, and more. By virtualizing and sharing such resources, higher utilization rates can be realized. Effectively, more can be done with less, or more can be done with existing re sources.
Ø Self-service access: Cloud computing solutions should enable self-service capabilities to their users. The days of human-driven resource provisioning requests are replaced by some type of portal, usually web-based, that allows authorized users to directly access compute resources based on their need.
Ø Elastic resource pools: Whether cloud computing concepts are being applied to a set of servers, blocks of storage, or shards of data, the resource pool should be elastic. This means that as more resource is needed, the system provisions more from the pool to ensure demand is met. Conversely, and just as importantly, when a resource is no longer needed it should be returned to the pool. This dynamic growth and contraction should be carried out autonomically based on parameters defined by users of the cloud.
Ø Consumable output: Once the resources are provisioned by the cloud, they should be as close to “ready-to-go” as possible. Configuration, tuning, and integration should be handled by the cloud computing solution where possible allowing users to derive immediate value from the provisioned components.
Ø User-based usage tracking: This feature is really a need created by the first characteristic mentioned. If the cloud is offering up shared resource pools, it is necessary to understand who is using those resources and how much they are using. Cloud computing solutions should provide a way to allocate usage of its resources to a particular user or group of users in order to facilitate chargeback within a business.
TYPES:
i. Public cloud
ii. Hybrid cloud
iii. Private cloud
PUBLIC CLOUD:
Public Cloud or external cloud describes cloud computing in the traditional mainstream sense, whereby resources are dynamically provisioned on a fine-grained, self-service basis over the Internet, via web applications/web services, from an off-site third-party provider who shares resources and bills on a fine-grained utility computing basis.
HYBRID CLOUD:
A hybrid cloud is a cloud computing environment in which an organization provides and manages some resources in-house and has others provided externally. For example, an organization might use a public cloud service, such as Amazon's Elastic Compute Cloud (EC2) for general computing but store customer data within its own data center.
Although cloud computing is often said to be the future of the industry, the hybrid model is more prevalent for a number of reasons. Large enterprises often already have substantial investments in the infrastructure required to provide resources in-house. Furthermore, many organizations would prefer to keep sensitive data under their own control to ensure security.
PRIVATE CLOUD:
Private cloud and internal cloud are neologisms that some vendors have recently used to describe offerings that emulate cloud computing on private networks. These (typically virtualisation automation) products claim to "deliver some benefits of cloud computing without the pitfalls", capitalising on data security, corporate governance, and reliability concerns. They have been criticised on the basis that users "still have to buy, build, and manage them" and as such do not benefit from lower up-front capital costs and less hands-on management, essentially "[lacking] the economic model that makes cloud computing such an intriguing concept"
While an analyst predicted in 2008 that private cloud networks would be the future of corporate IT, there is some contention as to whether they are a reality even within the same firm. Analysts also claim that within five years a "huge percentage" of small and medium enterprises will get most of their computing resources from external cloud computing providers as they "will not have economies of scale to make it worth staying in the IT business" or be able to afford private clouds.
The term has also been used in the logical rather than physical sense, for example in reference to platform as a service offerings.
CLOUD USERS:
EG-1: MOGULUS
· MODULUS is a live broadcast platform on the internet (cloud customer).
· Producers can use the MOGULUS browser-based studio application to create live, scheduled and on-demand internet television to broadcast anywhere on the web through a single player widget.
EG-2: ANIMOTO:
· ANIMOTO is a video rendering and production house with service available over the internet.
· With their patent-pending technology and high end motion design, each video is a fully customized orchestration of user selected images and music in several formats including DVD’S.
· Released facebook app users were easily able to render their photos into MTV like videos.
Ø Ramped from 25,000 users to 250,000 users in three days
Ø Signing up 20,000 new users per hour at peak
Ø Went from 50 to 3500 servers in 5 days
Ø Two weeks later scaled back to 100 servers
EG-3: New York Times
· Times machine is a news archive of the NY Times available in PDF over the Internet to newspaper subscribers.
SECURITY ISSUES:
In the last few years, cloud computing has grown from being a promising business concept to one of the fastest growing segments of the IT industry. Now, recession-hit companies are increasingly realizing that simply by tapping into the cloud they can gain fast access to best-of-breed business applications or drastically boost their infrastructure resources, all at negligible cost. But as more and more information on individuals and companies is placed in the cloud, “concerns” are beginning to grow about just how safe an environment it is. Cloud computing is picking up traction with businesses, but before we jump into the cloud, we should know the unique security risks it entails. These are the identified five issues that need to be addressed before enterprises consider switching to the cloud computing model. They are as follows:
Every breached security system was once thought infallible:
SaaS (software as a service) and PaaS (platform as a service) providers all trumpet the robustness of their systems, often claiming that security in the cloud is tighter than in most enterprises. But the simple fact is that every security system that has ever been breached was once thought infallible.
Google was forced to make an embarrassing apology in February when its Gmail service collapsed in Europe, while Salesforce.com is still smarting from a phishing attack in 2007 which duped a staff member into revealing passwords.
While cloud service providers face similar security issues as other sorts of organisations, analysts warn that the cloud is becoming particularly attractive to cyber crooks.
"The richer the pot of data, the more cloud service providers need to do to protect it “
Understand the risks of cloud computing:
Cloud service users need to be vigilant in understanding the risks of data breaches in this new environment.
At the heart of cloud infrastructure is this idea of multi-tenancy and decoupling between specific hardware resources and applications. In the jungle of multi-tenant data, you need to trust the cloud provider that your information will not be exposed.
For their part, companies need to be vigilant, for instance about how passwords are assigned, protected and changed. Cloud service providers typically work with numbers of third parties, and customers are advised to gain information about those companies which could potentially access their data.
An important consideration for cloud service customers, especially those responsible for highly sensitive data, is to find out about the hosting company used by the provider and if possible seek an independent audit of their security status.
How cloud hosting companies have approached security:
As with most SaaS offerings, the applications forming SmartClear's offering are constantly being tweaked and revised, a fact which raises more security issues for customers. Companies need to know, for instance, whether a software change might actually alter its security settings.
One of the world's largest technology companies, Google, has invested a lot of money into the cloud space, where it recognises that having a reputation for security is a key determinant of success. "Security is built into the DNA of our products," says a company spokesperson. "Google practices a defense-in-depth security strategy, by architecting security into our people, process and technologies".
However, the cloud is still very much a new frontier with very little in the way of specific standards for security or data privacy. In many ways cloud computing is in a similar position to where the recording industry found itself when it was trying to combat peer-to-peer file sharing with copyright laws created in the age of analogue.
In terms of legislation, at the moment there's nothing that is specifically built for cloud computing,. As is frequently the case with disruptive technologies, the law lags behind the technology development for cloud computing.
What's more, many are concerned that cloud computing remains at such an embryonic stage that the imposition of strict standards could do more harm than good.
Standards by definition are restrictive. Consequently, people are questioning whether cloud computing can benefit from standardisation at this stage of market development. Until it is there are nevertheless a handful of existing web standards which companies in the cloud should know about. Chief among these is ISO27001, which is designed to provide the foundations for third party audit, and implements OECD principles governing security of information and network systems.
Local law and jurisdiction where data is held:
Possibly even more pressing an issue than standards in this new frontier is the emerging question of jurisdiction. Data that might be secure in one country may not be secure in another. In many cases though, users of cloud services don't know where their information is held. Currently in the process of trying to harmonise the data laws of its member states, the EU favours very strict protection of privacy, while in America laws such as the US Patriot Act invest government and other agencies with virtually limitless powers to access information including that belonging to companies.
FOR EG: UK-based electronics distributor ACAL is using NetSuite OneWorld for its CRM. Simon Rush, IT manager at ACAL, has needed to ensure that ACAL had immediate access to all of its data should its contract with NetSuite be terminated for any reason, so that the information could be quickly relocated.
Counter terrorism legislation is increasingly being used to gain access to data for other reasons. Customers benefit from advanced encryption that only they are able to decode, ensuring that service providers act only as the custodian, rather than the controller of the data, offering companies concerned about privacy another layer of protection.
SECURITY BENEFITS:
There are definitely plenty of concerns regarding the inability to trust cloud computing due to its security issues. However, cloud computing comes with several benefits that address data security. The following sections looks into addressing concepts such as centralized data, incident response or logging.
Centralized Data refers to the approach of placing all eggs in one basket. It might be dangerous to think that if the cloud goes down, so does the service they provide, but at the same time, it is easier to monitor. Storing data in the cloud voids many issues related to losing laptops or flash drives, which has been the most common way of loosing data for large enterprises or government organizations. The laptop would only store a small cache to interface with the thin client, but the authentication is done through the network, in the cloud. In addition to this, when a laptop is known to be stolen, administrators can block its attempted access based on its identifier or MAC address. Moreover, it is easier and cheaper to store data encrypted in the cloud that to perform disk encryption on every piece of hardware or backup tape.
Incident Response refers to the ability to procure a resource such as a database server or supercomputing power or use a testing environment whenever needed. This bypasses the supplemental red tape associated with traditional requesting of resources within the corporate world. Also, if a server is down for re-imaging or disk clean-up, the client may easily create similar instances of their environment on other machines, improving the acquisition time. From a security standpoint, cloud providers already provide algorithms for generating hashes or checksums whenever a file is stored in the cloud, which bypasses the local/client need for encrypting. This does not imply that clients should not encrypt the data before sending it, but merely that the service is already in place for them.
Password Assurance Testing is a service that can be used to harness the computational power of the cloud in attempts to break into a company's system by guessing passwords. This approach minimizes resources and time spent on the client side. Logging benefits come from the idea that the client need not worry about storage space for log files and enjoys a faster way of searching through them. Moreover, it allows for a convenient way to observe which user accessed certain resources at any given time.
Bottom Line on Cloud Computing Security:
Centralized Data refers to the approach of placing all eggs in one basket. It might be dangerous to think that if the cloud goes down, so does the service they provide, but at the same time, it is easier to monitor. Storing data in the cloud voids many issues related to losing laptops or flash drives, which has been the most common way of loosing data for large enterprises or government organizations. The laptop would only store a small cache to interface with the thin client, but the authentication is done through the network, in the cloud. In addition to this, when a laptop is known to be stolen, administrators can block its attempted access based on its identifier or MAC address. Moreover, it is easier and cheaper to store data encrypted in the cloud that to perform disk encryption on every piece of hardware or backup tape.
Incident Response refers to the ability to procure a resource such as a database server or supercomputing power or use a testing environment whenever needed. This bypasses the supplemental red tape associated with traditional requesting of resources within the corporate world. Also, if a server is down for re-imaging or disk clean-up, the client may easily create similar instances of their environment on other machines, improving the acquisition time. From a security standpoint, cloud providers already provide algorithms for generating hashes or checksums whenever a file is stored in the cloud, which bypasses the local/client need for encrypting. This does not imply that clients should not encrypt the data before sending it, but merely that the service is already in place for them.
Password Assurance Testing is a service that can be used to harness the computational power of the cloud in attempts to break into a company's system by guessing passwords. This approach minimizes resources and time spent on the client side. Logging benefits come from the idea that the client need not worry about storage space for log files and enjoys a faster way of searching through them. Moreover, it allows for a convenient way to observe which user accessed certain resources at any given time.
Bottom Line on Cloud Computing Security:
- Engage in full risk management process for each case
For small and medium organizations
- Cloud security may be a big improvement!
- Cost savings may be large (economies of scale)
For large organizations
- Already have large, secure data centers
- Main sweet spots:
- Elastic services
- Internet-facing services
Employ countermeasures listed above!
CONCLUSION:
Cloud computing can be as secure, if not more secure, than the traditional environment. Most organizations really struggle, whether they want to admit it or not, securing their networks. IT technicians are spearheading the challenge, while academia is bit slower to react. Several groups have recently been formed, such as the Cloud Security Alliance or the Open Cloud Consortium, with the goal of exploring the possibilities offered by cloud computing and to establish a common language among different providers. The question is would you rather be at a huge data center where a vendor is contractually required to keep your data secure or would u rather rely on your staff to do it properly? You need to trust that your vendor will manage your data. But people are getting used to the idea of being able to access their data anytime and from anywhere because it is out on the Internet. In this boiling pot, cloud computing is facing several issues in gaining recognition for its merits. Its security deficiencies and benefits need to be carefully weighed before making a decision to implement it. However, the future looks less cloudy as far as more people being attracted by the topic and pursuing research to improve on its drawbacks.
No comments:
Post a Comment