A Survey on Security Issues and Vulnerabilities on Cloud Computing

A Survey on Security Issues and Vulnerabilities on Cloud Computing

V . Suguna1, M . Ramadevi2, D . Bullarao3, P . Nageswara Rao4

Department of Cse,Swetha Institute of Technology and Science::Tirupathi

Abstract- Cloud computing has gained significant traction for recent years. It is a form of distributedcomputing whereby resources and application platform are shared over the internet through on demand and pay on utilization basis. Several companies have already built Internet consumer services such as search engine, use of some websites to communicate with other user in websites, E-mail services, and services to purchase items online that use cloud computing infrastructure. However this technology suffers from threats and vulnerabilities that prevent the users from trusting it. The occurrence of these threats may result into damaging of confidential data in cloud environment. This survey paper aims to analyze the various unresolved security threats in cloud computing which are affecting the various stake-holders linked to it. It also describes the pros and cons of the existing security strategy and also introduces the existing issues in cloud computing such as data integrity, data segregation, and security and so on.

Keywords:- Cloud computing, data integrity, segregation and security, PaaS, IaaS, SaaS, and Denial of service attack.

1. INTRODUCTION

   Internet has been a driving force towards the various technologies that have been developed since its inception.

   Arguably, one of the most discussed among all of them is Cloud Computing [1].

   Cloud computing is a general term for anything that involves delivering hosted services over the

   Internet. It is an emerging computing technology that

   uses the internet and central remote servers to maintaindata. This system is very helpful for different users so that they can easily use the system without any externalsupport to software and hardware. They can also access their personal files at any computer on internet. Thistechnology allows for much more efficient computing by centralizing storage, memory, processing andbandwidth. The overall framework of cloudcomputing is shown in figure 1.

   Figure:1 overall framework of cloud computing

   Cloud computing is seen as a trend in the present day scenario with almost all the organizations are try to enterin to it. The

   advantages of using cloud computing are: i) Hardware and maintenance cost are reduced, ii) easy toaccess around the world, and iii) flexibility and the highly automated process wherein the customer need notworry about software up- gradation which tends to be a daily matter [2].According to the different types ofservices offered, cloud computing can be considered as of three layers. Infrastructure as a Service (IaaS) is thelowest layer that provides basic infrastructure support service. Platform as a Service (PaaS) layer is the middlelayer that provide executive environment for developing software. Software as a Service (SaaS) is the topmostlayer which features a complete application offered as service on demand [1]. Figure 2 explains the servicesmodels of cloud computing.

   Figure:2 cloud service models

   Infrastructure as a Service (IaaS) this is the base layer of cloud service model. It can be used to deliver the

   computer hardware as a service. It enables the provider to offer unlimited virtual server to customer and makecost effective use of hosting hardware. Eg.Amazon, Rackspace etc.,Platform as a Service (PaaS) this is themiddle layer of cloud service model. It provides an executiveenvironment for software development for developers over the internet. Developers write the code and the paasprovider provides a way to upload the code into the internet. Eg. Google App Engine,Software as a Service (SaaS) this is the highest layer

   of the cloud stack. It is designed to simply rent out thesoftware to the user. Eg.FacebookSalesForce etc. The using of cloud system usually depends on customer need [2].Based o that the system is divided into fourways:

   1. Public Cloud: It is used if the services can be used by large group or commonality. Ex: an entire industrialsector used one provider.

   2. Private Cloud: It is used only for one institution. It may be organized by institution itself.

   3. Community cloud: Infrastructure shared by several organizations for a shared cause and may be managed bythem or a third party service provider

   4. Hybrid Cloud: It is the combination of public cloud and private cloud.

      Moreover, Users can typically connect to clouds via different types of web based services or web browsers.Cloud system provides lot of pros and cons to the consumers.This paper discusses the various unresolvedsecurity concerns and the security risk associated with enterprise cloud computing including its threats, risk andvulnerability. This paper is originated as follows: section 2 deals with literature survey for existing securitytechniques available in cloud computing and section3 deals with security issues that exists in cloud computingand section 4 deals vulnerabilities available in cloud computing and section 5 deals withcurrent status ofsecurity in cloud computing and section 6 deals with conclusions derived from the survey.

2. RELATED WORK

   Several papers have been studied in the area of cloud computing security. Jinpeng et al [3] proposes a model to manage the virtual machine image in a cloud environment in secure manner. Theadvantage of this system isthat the access permission is private so that untrusted parties cannot access the system. The main drawback isthat the image filters cannot be accurate sothatsystem does not eliminate the risk entirely. Miranda, Siani [4] proposes a client based privacy manager for reducing the risk of misused the usersprivate data and also assist the cloud computing provider to conform the privacy law. The service provider hasto provide honest cooperation with the privacy manager. Otherwise this method is not effective one.

   Cong et al [10] proposes the system uses homomorphic token with distributed verification of erasure-coded data. It effectively detects an unauthorized access in cloud environment. Weichao Wang et al[11]provides efficient access to the outsourced data in the cloud environment. But this approach is not generic innature.

   Flavio, Roberto [5] proposes Transport Cloud Protection System (TCPS), is a middleware whose core islocated between the kernel and virtualization layer. This system is effective in detecting most kind of attacks.But this is not generalized one and it cannot be implemented in all scenarios.

   Kevin Hemalen et al [6] presents a layered framework for secure cloud. This system builds a trustedapplication

   from untrusted components. Abdul Ghafoor[12] proposes a method which is securely distributesthe software modules, to authorize user. But still there is a problem of distribution of software protection key ingrouped environment.

   Alvin, Chaudhary [7] proposes a Security Acess Control Services (SACS) model to improve thesecurity in cloud data. But still unknown killer application cannot be avoided. Ayesha ,Nazir [8] approach aframework for execution of data and information securely in cloud environment. Even though secure frameworkis used to protect the data, still cloud service

   providers face problems in encryption mechanism.

   Shantanuet al [9] proposes a trust based agent framework which provides security both at service

   provider level as well as at the user level in cloud environment. But it is able to handle only a limited number osecurity threats in a fairly small environment.

   Song et al [20] proposes dataprotection as services, which offer data security andprivacy oncloudplatform. These services can be provided using full disk encryption technique but it slow down dataaccess time.

   Saravanan et al[21] propose the method to provide the security by implementing the RSA algorithm to the datastored in third party area. But still there is a lack of security exists in cloud computing.

3. SECURITY ISSUES IN CLOUD COMPUTING

   Even though there is many advantage concerned in cloud computing, the organization are slow in accepting itdue to security issues associated with it. Security is one of the primary issues in cloud environment. Here thereare various security concerns given below which are applicable in cloud computing environment [13]:

   • Virtualization

   • Network Security

   • Policy and Compliance

   • Data location

   • Data integrity

   1. Virtualization:

      Virtualization is one of the main components of a cloud. Virtual machines are dynamic in nature so thatit is difficult to maintain security consistency. Vulnerabilities or configuration errors may be generatedeasily.The main issue in virtual machine is to keep maintaining the security state for a given time [13].

   2. Network Security:

      Networks have more security problem to deal with such as DNS attacks, Sniffer attacks, issue of reusedIP address, etc DNS attack

      It is the corruption of Domain Name System (DNS) server. A DNS server performs the translation of adomain name to an IP address. In this case, the user request one IP address but it is redirected to some otherunauthorizedcloud. Counter measure for this attack is that Domain Name System Security Extensions(DNSSEC). But this security measures prove to be inadequate one. [13].

      Sniffer attack is a more critical issueof network security in which unencrypted data are hacked throughthe internet during the communication between two parties. Figure3 represents theattacker . Countermeasurefor this attack is that the parties should use efficient encryption method for securing the data.

      Figure: 3 showing the attacker

      Issue of Reused IP Addresses

      Each node of a network is provided with an IP address and the number of IP addresses that can be

      assigned is limited. When a User leaves the network hen the IP-address assigned to him will be given to a newuser. But it causes lot of security issues to the new user if any time lag occurs between the variation of IPaddress in DNS and deleting of address in DNS Caches. [13]

   3. Policy and Compliance

      Cloud providers have to ensure that the customers data wont be breach any regulations even when theyleft the organization.

   4. Data location

      Clients might never know where the data is located [14].

   5. Data Integrity

   Data Integrity is essential in cloud storage which is critical for any data center. Keeping data in theclouds means users may lose control of their data and rely on cloud operators to enforce access control.

4. VULNERABILITIES CLOUD COMPUTING

   Vulnerability refers to the unauthorized access to the resources within the cloud environment. It may be aservice running on a server, unmatched applications or operating system software, or an unsecured physicalentrance. There are several significant vulnerabilities that should be considered when an organization is ready tomove their critical applications and data to a cloud computing environment, these vulnerabilities are described

   as follows [15]:

   1. Session Hijacking

      Session hijacking occurs when the attacker steals the users session id to gain unauthorized access for the

      information or services residing on a computer system. The diagrammatic representation of session hijacking isshown in figure 4.

      Figure:4 Diagrammatic representation of Session

   2. Virtual Machine Escape

      Virtual Machine (VM) escape is an exploit in which the attacker runs code on a VM to gain access onthe host operating systems. It is considered to be the most serious threat to virtual machine security.

   3. Insecure Cryptographic storage

      Insecure cryptographic storage means sensitive data such as username, password etc arent stored

      securelyi.e malicious users can access the insecurely stored data with a little effort. This vulnerability can beprevented by using strong encryption algorithm

   4. Vendor Lock-in

      Vendor lock-in is seen as one of the potential drawbacks of cloud computing. Lock-in, makes a clientdependent on a provider for products and services so they will be unable to deal with another provider withoutsubstantial switching costs [17]. Clients must be sure of their potential provider prior to provider selectionprocess. Lack of standards may also lock-in the clients with only one provider. Due to heterogeneous standardsand policies settled by each provider, clients are not able to easily migrate from one provider to another eventhough they want to do so.

   5. SQL injection

      This technique used to exploit web sites by altering backend SQL statements through manipulatingapplication input [16]. SQL Injection happens when a developer accepts user input that is directly placed into aSQL Statement and doesn't properly filter out dangerous characters. The attacker steals the data from databaseand modifies it.

   6. Denial of Service Attacks

      Denial of service means making the resources unavailable for the users. Usually this type of attack

      temporarily or infinitely stops a service of the host. This will be shown in figure5.In the cloud system the hackerattack on the server by simply sending thousands of requests to the server that server is unable to respond to theregular clientsin this way server will not work properly.

      Figure:5 DoS attack

5. CURRENT STATUS OF CLOUD SECURITY

   In order to secure cloud against various security threats, different cloud service providers adopt differenttechniques. The best solution to improve the security is that to develop the secured framework which has toughsecurity architecture. So

   that we will protect users data, message and information against various attack. Thesecured framework must use strong authentication and strong access control mechanisms .So that it will providemore security to data of customers from that are currently present within the cloud computing services. Thesecured framework must use strong encryption algorithm in order to protect the sensitive data before entering into the cloud. There are several encryption techniques are available in cryptography. Among all Gentry [18]describeshomomorphic encryption algorithm which is used to protect the data in cloud environment. One of themost used encryption techniques is Homomorphic encryption technique, which allows specific types ofcomputations to be carried out on cipher text and obtain an encrypted result which decrypted matches the resultof operations performed on plain text. MahaTEBAA [19] describes homomorphic encryption which is a newconcept of security which enables providing results of calculations on encrypted data without knowing the rawdata on which the calculation carried out, based on the data confidentiality. The secured framework canimplement homomorphic encryption technique in order to provide data confidentiality on cloud environment.

6. CONCULSION

Cloud computing offers great potential to improve productivity and reduces costs. It also poses many newsecurity risks. This paper describes the survey of the various unresolved security threats in cloud computingwhich are affecting the various stake-holders linked to it. More than ten papers were also surveyed regarding thecloud computing, merits of cloud computing, risks in cloud computing and various approaches to solve thoserisks eah with their pros and cons. We believe that due to the complexity of cloud system , it is very difficult toachieve security.New security techniques need to be developed and older security techniques needed to beradically twisted tobe able to work with the clouds architecture

REFERENCES

1.Rohit Bhaduria,SugataSugal, Survey on Security Issues in Cloud Computing andAssociated Mitigation Techniques ,International

Journal of computer applications, Vol: 47,No:18,June 2012, pp:47-66. 2.R.L.Grossman, The Case for Cloud Computing .IT

professional,vol.11(2),2009,ISSN:1520-9202, pp: 23-27.

1. Jinpeng Wei, Xiaolan Zhang, Glenn Ammons,VasanthBala,pengNing.Managing Security of virtual machine images in a cloud

   environment .CCSW09:Proceedings of the 2009 ACM workshop on Cloud computing security, November 2009, pp 91-96.

2. Miranda Mowbray, Siani Pearson A Client based privacy Manager for Cloud Computing. OMSWARE '09: Proceedings of the

   Fourth International ICST Conference on communication system software and middle ware, June 2009.

3. Flavio Lombardi, Roberto Di Pietro. Transparent Security for Cloud. SAC '10: Proceedings of the 2010 ACM Symposium on Applied

   Computing, March 2010, pp 414-415.

4. Kevin Hemalen, Murat Kantarcioglu, Latifur Khan, and BhavaniThuraisingham, The University of Texas at Dallas, USA, Security

   Issues for cloud computing, April-June 2010,internationalJournal of Information Security and Privacy.

5. F. A. Alvi, B.S Chaudhary, review on cloud computing security issues &challenges.

6. Ayesha Malik, MuhammedMohsinNazir,Security Framework for Cloud computing environment: Review, Journal of emerging

   Trends in computing and information sciences, Vol;3, No:3, March 2012, ISSN 2079-8407.

7. Shantanu Pal, SunirmalKhatua, NabenduChaki, SugataSanyal, A New Trusted and Collaborative Agent Based Approach for

   Ensuring Cloud Security, Annals of Faculty Engineering Hunedoara International Journal of Engineering (Archived copy), scheduled

   for publication in vol. 10, issue 1, January 2012. ISSN: 1584-2665.

8. Cong Wang, Qian Wang, KuiRen, and Wenjing Lou, Ensuring Data Storage Security in Cloud Computing, 17th International

   workshop on Quality of Service,2009, IWQoS, Charleston, SC, USA, July 13-15, 2009, ISBN: 978-1-4244-3875-4

9. Weichao Wang, Zhiwei Li, Rodney Owens, Bharat Bhargava. Secure and Efficient Access to Outsourced Data. CCSW '09:

   Proceedings of the 2009 ACM workshop on Cloud computing security, November 2009, pp: 55-65.

10. Abdul Ghafoor, SeadMuftic, Crypto NET: Software Protection and Secure Execution Environment, IJCSNS International Journal

    of Computer Science and Network Security, VOL.10 No.2, February 2010

11. Rabi Prasad Padhy, ManasRanjanPatra, Suresh Chandra Satapathy Cloud Computing: Security Issues and Research Challenges,

    International Journal of Computer Science and Information Technology & Security (IJCSITS), Vol. 1, No. 2, December 2011

12. Garter, Seven Cloud computing security risks, 2008[Online] Available http://www.infoworld.com

    B. Grobauer, T. Walloschek, and E. Stocker, Understanding Cloud Computing Vulnerabilities, Security & Privacy, IEEE, vol. 9, no.

    2, pp. 50-57, 2011

13. MervatAdibBamiah, sarfraz Nawaz Brohi, Seven Deadly Threats and Vulnerabilities in Cloud Computing International Journal

    Of Advanced Engineering Sciences And Technologies, Vol No. 9, Issue No. 1, pp:087 090

14. G., Petri, Vendor Lock-in and Cloud computing, [Online], Available: http://cloud computing.sys-con.com/node/1465147, 2010,

    [Accessed: 23-Jul-2011].

15. C. Gentry. A fully homomorphic encryption scheme. PhD thesis,

    Stanford University, 2009. Manuscript available at http://crypto.stanford.edu/craig

16. MahaTebaa, Saïd El Hajji, Abdellatif El Ghazi, Homomorphic Encryption Applied to the Cloud Computing Security, Proceedings

    of the World Congress on Engineering 2012 Vol I WCE 2012, July 4 – 6, 2012, London, U.K.

17. Song.D.,Shi.E,Fischer.I,Shankar.U, Cloud Data protection for the masses, IEEE computer Society,Vol: 45,issue:1,pg: 39-

    45,ISSN:0018-9162

18. N. Saravanan, A. Mahendiran, N. Venkata Subramanian and N.

Sairam, An Implementation of RSA Algorithm in Google Cloud

using Cloud SQL , Research Journal of Applied Sciences, Engineering and Technology, 4(19), October 01, 2012, ISSN: 2040-7467