Security in Cloud Computing Systems vs. Non-Cloud Computing System
Cloud computing is a new technology that has attracted huge attention from all sectors (Shaikh & Haider 2011, p. 214; Shaikh & Sasikumar 2012, p. 4). In non-cloud computing system, data owners have direct control over their data hence they are able to physically administer data security. In contrast, in cloud computing, data owners are unable to trust the cloud since the technology is located away from their trusted sphere. As a result, the likelihood of data loss or leakage is high (Bhayal 2011, p. 1).
In non-cloud computing technology, sensitive data stored in a computer is encrypted by the owner to prevent unlawful access. In contrast, in cloud computing, the cloud provider encrypts customer’s data before it is stored in the cloud. Nonetheless, even the most effective encryption method is susceptible to hacking. Therefore, the third party auditors (TPAs) are commonly used to establish trust between auditors and data owners as well as ensure integrity of client’s data stored in the cloud.
This implies that TPA can turn out to be the weakest link and result in data loss or leakage (Bhayal 2011, p. 3). Therefore, whereas data integrity in non-cloud computing can be monitored by data owners, this is not the case in cloud computing because data integrity check in executed via TPA, an intermediate link which is susceptible to security risks (Garber 2011, p. 21; Bisong & Rahman 2011, p. 30; Wang et al., 2002, p. 1).
Additional security requirements for cloud computing systems
Confidentiality
The cloud computing system is currently offered on public networks. Consequently, the technology is more susceptible to attacks compared to those offered in private data centres (Zhou et al., 2010, p. 107). Cryptography and physical isolation are the two primary techniques used by cloud providers to ensure data confidentiality.
Since cloud technology is provided on a public network platform, network middleboxes (i.e. packet filters, firewalls) and virtual Local Area Networks (LANs) can be installed to realize virtual physical isolation. Data confidentiality in the cloud can also be augmented by encrypting data before storage (Zhou et al., 2010, p. 108; Wang et al., 2011, p. 282).
Data integrity
There are several techniques that can be adopted to secure data integrity in the cloud. For example, Zetta system is a storage service that ensures data integrity. Zetta system uses Redundant Array of Independent Nodes 6 (RAIN-6) for main data hosting services and lends credence to data integrity.
RAIN-6 can restore bit errors and drive failure that may arise from memory corruption, power shortages and network malfunction. This data integrity attribute is realized via data placement by means of node stripping (Zhou et al., 2010, p. 108). Digital signature is also used to test data integrity. For instance, HDFS and GFS typically split data in bulky volumes into smaller blocks. Digital signatures are then appended on each block before the data is physically stored (Zhou et al., 2010, p. 109; Azab 2012, p. 3).
Availability
In cloud computing systems the aim of availability is to ensure that remote users can access infrastructures and applications from anytime. Redundancy and hardening are used to augment the availability of cloud computing system. Virtual machines are used to augment availability of cloud systems to end-users.
For instance, the virtual machine Xen can provide several services such as storage virtualization and separated memory virtualization which are hosted on various commodity PCs. Consequently, cloud vendors can provide their customers with different resources (i.e. memory space, storage capacity) from Amazon.
In essence, all these services are hosted by the virtual machine since cloud providers rely on it to link servers and to offer a robust, scalable system. In addition, established cloud suppliers provide geographic redundancy in their cloud systems in order to boost availability of infrastructures and platform in a single cloud Zhou et al., 2010, p. 107; Ramgovind et al., 2010, p. 4).
Entity authentication
Entity authentication is undoubtedly a major issue in accessing cloud services. AAA can be deployed in cloud computing to manage entity authentication process. When a user attempts to access the cloud system, his/her authentication data is checked by AAA. AAA then selects appropriate IDS with security level that matches the anomaly level of the user. AAA then asks the host OS to assign guest OS image for the user.
Once the entity is authenticated, AAA obtains the user’s generated anomaly level by examining the user’s data in the database (Lee et al., 2011, p. 553). Multifactor authentication, virtual private networks (VPNs), intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) can also be used to augment entity authentication in the cloud.
TCP and TPM mechanisms can be integrated in cloud services to trace and locate users. This is because the user’s identity is verified by the entity’s private keys entrenched in TPM or BIOS hardware. Consequently, users are unable to fake their identity when they attempt to access cloud services (Shen & Tong 2010, p. 13).
Message origination authentication
Message origination authentication is the ability to verify the validity of the source of data received via cloud computing system. There are various technologies that can be used to accomplish this goal.
For instance, infostructure technology may be used to encrypt message to prevent data tampering during transportation (Peterson 2010, p. 83). Gateway security technology can also be used to provide message security services such as message integrity (using XML), encrypted message via XML encryption and message authentication via XML Signature (Peterson 2010, p. 85).
Timeliness
Integrity measurement is one of the major issues in developing trust in the cloud system. In order to address this issue, TOCTTOU (Time of Check to Time of Use) can be used to ensure consistency of integrity past the measurement time. Since runtime susceptibility in the user programs can be employed to alter the measured program or bypass the measurement procedure before they perform, HIMA can be used to prevent alterations on the measured user programs (Azab 2012, p. 28).
Non-repudiation (origin)
Repudiation in the existing cloud storage platform is poorly managed since the one-way integrity is only authenticated by a one-way SSL session. Consequently, cloud users are unable to determine whether the data sent via the cloud is altered (Feng et al., 2010, p. 4). Non-repudiation in data transmission can be realized if the sender appends non-repudiation of origin (NRO) to the message before sending it.
The sender must also attach IDs (i.e. the TTP, the recipient and the sender) in the plaintext message. The evidence must also include the hash of the data and the hash result of these IDs (Feng et al., 2010, p. 6).
Non-repudiation (destination)
During data transmission, the receiver must corroborate the authenticity of data received via a process called non-repudiation of receipt (NRR). To attain non-repudiation, the sender must use his/her personal key to sign the hash value. When data transmission is done, the receiver gets NRR (from the sender) while the sender gets NRO from the receiver. Thus, non-repudiation protocol can be used to verify the integrity of the data transmitted (Feng et al., 2010, p. 6).
Authorization
The client nodes can be used in the cloud platform to authorize access to data in the clouds. Identity and Access Management (IAM) is another protocol that can be used to manage users accessing data in the cloud. In addition, sign-on capability function can be adopted in the cloud system to enable cloud users access cloud services easily (Reddy & Reddy 2011, p. 7152; Gruschka & Jensen 2010, p. 276).
Access control
Airavat can be adopted in the cloud systems to control access to data stored in the clouds. Airavat employs decentralized information flow control (DIFC) to prevent unauthorized access to data in the clouds. For instance, Airavat stops Mappers from transmitting data via unprotected network connections. In addition, Airavat can execute privacy-preserving computations within the MapReduce system thereby enabling cloud users to add their personal mappers (Zhou et al., 2010, p.109).
Traffic flow confidentiality
Traffic flow confidentiality is a critical issue in cloud computing (Vouk 2008, p. 235). Nonetheless, this problem can be resolved by using web applications such as TLS protocols to encrypt data before transmitting it via the cloud platform. In addition, access controls (i.e. authentication, authorization) can provide confidentiality of data transmitted via cloud systems (Reddy & Reddy 2011, p.7152).
References
Azab, M 2012, New System Security Mechanisms for the Cloud Computing Infrastructure, UMI Dissertation Publishing, North Carolina.
Bhayal, S 2011, A Study of Security in Cloud Computing, UMI Dissertation Publishing, Ann Arbor.
Bisong, A & Rahman, S 2011, ‘An Overview of the Security Concerns in Enterprise Cloud Computing’, International Journal of Network Security & Its Applications, vol. 3 no. 1, pp. 30-45.
Feng, J, Chen, Y, Ku, W & Liu, P 2010, Analysis of Integrity Vulnerability and a Non-repudiation Protocol for Cloud Data Storage Platforms, Systems and Technology Group, IBM Endicott, NY.
Garber, L 2011, ‘Serious security Flaws Identified in Cloud Systems’, IEEE Computer Society, pp. 21-23.
Gruschka, N & Jensen, M 2010, ‘Attack Surfaces: A Taxonomy for Attacks on Cloud Services’, IEEE Computer Society, pp. 276-279.
Lee, J, Park, M, Eom, J & Chung, T 2011, ‘Multi-level Intrusion Detection System and Log Management in Cloud Computing’, ICACT, pp. 552-555.
Peterson, G 2010, ‘A security Architecture stack for the Cloud’, IEEE Security & Privacy, pp. 83-86.
Ramgovind, S, Eloff, M & Smith, E 2010, ‘The Management of Security in Cloud Computing’, IEEE, pp.1-7.
Reddy, V & Reddy, L 2011, ‘Security Architecture of Cloud Computing’, International Journal of Engineering Science and Technology, vol. 3 no. 9, pp. 7149-7155.
Shaikh, F & Haider, S 2011, ‘Security in Cloud Computing’, IEEE, pp. 214-219.
Shaikh, R & Sasikumar, M 2012, ‘Security Issues in Cloud Computing: A Survey’, International Journal of Computer Applications, vol. 44 no. 19, pp. 4-10.
Shen, Z & Tong, Q 2010, ‘The Security of Cloud Computing System enabled by Trusted Computing Technology’, IEEE, vol. 2, pp. 11-15.
Vouk, M 2008, ‘Cloud Computing: Issues Research and Implementations’, Journal of Computing & Information Technology, vol. 4 pp. 235-246.
Wang, C, Carzaniga, A, Evans, D & Wolf, A 2002, ‘security Issues and requirements for Internet-Scale Publish-Subscribe Systems’, IEEE, pp. 1-8.
Wang, C, Wang, Q & Ren, K 2011, ‘Towards Secure and Effective Utilization over Encrypted Cloud Data’, IEEE, pp. 282-286.
Zhou, M, Zhang, R, Xie, W, Qian, W & Zhou, A 2010, ‘Security and Privacy in Cloud Computing: A Survey’, IEEE, pp. 105-112.