VIRTUALIZATION SECURITY

Prateek Sharma Department of computer science, Jagannathgupta institute of technology

email-id: sharma.prateek23@gmail.com

Abstract
An evolving sub-domain of computer security, network security, and, more broadly, an information security. It refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing. Security issues faced by cloud providers (organizations providing Software, Platform, or Infrastructure-as-aService:IaaS via the cloud) and security issues faced by their customers. Protection of dynamically scalable shared resources accessed over a network. It looks at the security implications and challenges that IaaS presents and offers best practices to service providers and enterprises hoping to leverage IaaS to improve their bottom line in this severe economic climate. To ensure data security and privacy, cloud providers attend to the following areas: Data protection, Physical and personnel security and Application security. Various security issues are: Data Loss, Downtimes, Phishing, Password Cracking, Botnets and Other Malware. Keywords : Phising, Botnets, Malware, etc.

1. INTRODUCTION
Cloud Computing is a model that can be rapidly provisioned and released with minimal management effort or service provider interaction in order to enable convenient, on-demand network access to a shared pool of configurable computing resources(e.g., networks, servers, storage, applications, and services). Cloud computing security also known as cloud security is an evolving sub-domain of computer security, network security, and, more broadly, information security. It refers to a broad set of policies, technologies, controls and techniques deployed to protect data, applications and the associated infrastructure of cloud computing.

Cloud security is not to be confused with security software offerings that are "cloud-based" also known as security-as-a-service. Many commercial software vendors have offerings such as cloud-based anti-virus or vulnerability management.

[4]According to Brucon 2010 talks, this presentation will be technical in nature and focus on how security practitioners can leverage public IaaS clouds today, to create an ad-hoc security test lab for both offensive and defensive security research. Well explore prior use cases of cloud by security researchers, define a simple test lab network architecture and associated requirements, get an overview of existing IaaS capabilities and the challenges youll face when replicating even relatively simple network topologies (along with some workarounds). At the end of this presentation, attendees will know how to build their own virtual skylab. [1]Today, in 2011 Chris Challis refers to at least one of four aspects, but not necessarily all of them: Access through the front door Access through the back door Data transmission from data centre to user Business continuity, back-up and disaster recovery [8]Seven of the specific security issues Gartner says customers should raise with vendors before selecting a cloud vendor: Privileged user access. Regulatory compliance. Data location. Data segregation. Recovery. Investigative support. Long-term viability. The premost statement of the Cloud Security Alliance means to form a non-profit organization to promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.

FIGURE 2.

2. SECURITY ISSUES

Data Loss: Important personal data such as contacts, photos, calendar entries, etc may lost due to server failure therefore their privacy maintenance is a basic issue. Downtimes: It refers to a period when a system i.e., network or servers is unavailable. It is caused due to failure in hardware, software, interconnecting equipments such as routers, wireless transmission, etc. Phishing: It is a way of acquiring sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity. This technique directs user to enter their details in fake page whose look and feel are exactly same as that of the legitimate one. Password Cracking: Well known term, refer to recover password from data that has been stored in or transmitted by computer system. It is used to describe the penetration of a network, system, or resource with or without the use of tools to unlock a resource that has been secured with a password. Botnets and Malware: It is a collection of compromised computers connected to the Internet, termed bots, that are used for malicious purposes. Identity Management: Broad administrative area that deals with identifying individuals in a system and controlling access to the resources in that system by placing restrictions on the established identities of the individuals. Decides the basis to identity humans and authorized them across worldwide spread computer networks.[7] Application Security: Cloud providers ensure that applications available as a service via the cloud are secure by implementing testing and acceptance procedures for outsourced or packaged application code. It also requires application security measures be in place in the production environment. Privacy: It refers to the evolving relationship between technology and the legal right to, or public expectation of privacy in the collection and sharing of data about one's self. It includes whether email can be stored or read by third parties without consent, or whether third parties can track the web sites someone has visited. No Security Parameter: Little control over physical or network location of cloud instance. Network access must be controlled on a host by host basis.

3. Security in the Cloud

Cloud architectures must have well-defined security policies, methods and procedures. There are specific security issues that anyone considering cloud computing must address to ensure that they will still have adequate security policy control over applications and services; as well as meeting customer service level agreements on security while remaining compliant with rules and regulations on data security. Integrated Cloud Security: IT teams can also leverage a virtual infrastructure aware IPS solution, integrated with the hypervisor, to provide the needed visibility and security to

prevent communication directly between hosted partitions within the virtual server. These directly integrated solutions employ hypervisor-based APIs, and can also be used to ensure that even offline virtual machines are protected and can stay up to date with patches, AV/IDS signatures filters and rules while they are in an offline or mobile state. [6] Cloud Burst Security: One of the primary advantages of cloud computing is that enterprises can move applications that consist of several virtual machines to the cloud provider when the physical environment requires additional processor or compute resources. These bursting virtual machines need security policies and baseline histories to move with them. When a virtual machines moves, if the security policy does not accompany it, that virtual machines becomes vulnerable. In addition, when virtual machines move, they lose their performance histories and administrators must re-evaluate the virtual machine performance baselines.[6] Compliance Concerns: The auditing community is aware that current practices for auditing cloud environments are inadequate. As compliance grows in importance, enterprise implementing clouds need to satisfy their auditors concerns, especially since creating an identity for an individual virtual machine and tracking that virtual machine from creation to deletion creates challenges for even the most mature virtualized environments. Virtual machine sprawl-- when the number of virtual machines being created is growing more quickly than an enterprises ability to manage them-- adds complexity.[5] Isolate networks: The first responsibility of the cloud provider is to provide a level of isolation between all of the different networks that are a part of the virtualization infrastructure. These networks include management networks, VMware VMotion or Live Migration networks, IP storage networks, and individual customer networks. All of these networks should be segmented from each other. Administrators can use a couple primary methods to achieve isolation.[2] Secure customer access to cloud-based resources: Customers will need to have a way to access their resources that are located within the cloud and be able to manage those resources in a secure manner. Therefore, it is incumbent upon the cloud provider to supply the customer with a management portal that is encrypted. SSL Encryption would be the most common tool for this task.[6] Strong authentication, authorization and auditing mechanisms: It is very important in this type of shared environment to properly and securely authenticate system users and administrators and provide them with access to only the resources they need to do their jobs or the resources that they own within the system. It is also very important in a cloud environment to know who is doing what within the system, when they did it, and what exactly they did.[15]

4. CONCLUSION
In this digital era where storage of information is a very crucial issue, cloud security is a major area of concern. International Data Corporation analyzed the worldwide forecast for cloud service in 2009 as being of the order of $17.4bn and estimating revenues for 2013 as potentially amounting to $44.2bn. In our views cloud can offer great help in variety of sectors ranging from

telecom to social networking, banking to hospitals etc. You name it and cloud is there to assist you and make your work more manageable. Consumers depend on the cloud to handle a wide range of services like email, tax filing, credit reports, without considering the security of the system. Thus cloud security has a lot of application in future so we cannot undermine its security issues.

REFERENCES
[1] Cloud computing/cloud security details.htm [2] https://www.owasp.org/images/1/12/Cloudy_with_a_chance_of_0_day_-_Jon_RoseTom_Leavey.pdf [3] http://www.neoppt.com/search/pdf-research-papers-on-cloud-computing-security [4] http://www.eecs.berkeley.edu/~elaines/docs/ccsw.pdf [5] http://www.clavister.com/documents/resources/white-papers/clavister-whp-security-in-thecloud-gb.pdf [6] http://www.vmware.com/files/pdf/cloud/VMware-Savvis-Cloud-WP-en.pdf [7] http://en.wikipedia.org/wiki/Cloud_computing_security [8] http://www.infoworld.com/d/security-central/gartner-seven-cloud-computing-security-risks853 [9] https://cloudsecurityalliance.org/research/working-groups/security-as-a-service [10] http://www.perfecttermpapers.com/blog/research-paper-on-cloud-computing-security [11] http://www.ists.dartmouth.edu/docs/HannaCloudComputingv2.pdf [12] http://www.sans.org/reading_room/analysts_program/mcafee_carbird_08_2010.pdf [13] http://www.cloudsecurityalliance.org/guidance [14] http://www.cloudsecurityalliance.org/topthreats [15] https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf [16] There are various books regarding cloud security which can be referred:

Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance, by Tim Mather, Subra Kumaraswamy, and Shahed Latif; O'Reilly Media Inc, 2009 Cloud Computing: Implementation, Management, and Security, by John Rittenhouse and James Ransome; CRC Press 2010 Cloud Security: A Comprehensive Guide to Secure Cloud Computing, by Ronald Krutz and Russell Vines; Wiley Publishing Inc, 2010 Securing the Cloud: Cloud Computer Security Techniques and Tactics, by Vic Winkler, Syngress, 2011 (in progress)

[17] http://blogs.oracle.com/drcloud/entry/cloud_security_books [18] http://ebookee.org/Cloud-Security-A-Comprehensive-Guide-to-Secure-CloudComputing_981366.html [19] http://cloudsecurity.org/about.html [20] http://www-03.ibm.com/security/cloud-security.html [21] http://mcpmag.com/articles/2011/07/18/cloud-security-debate-continues.aspx [22] http://www.managedsecuritysource.com/cloud-computing-security.html

Made by: Prateek sharma