Problems and Solutions: Infrastructure as service security In Cloud

Ashok Kumar H Dept of Computer Science and Engineering BTL Institute of Technology Bangalore, India ashokhoskera@gmail.com

Abstract: Cloud Computing intends a trend in
computing model arises many security issues in all levels such as: network, application, data and host. These models put up different challenges in security Depending on consumers, models QOS(quality of service) requirements. Privacy, authentication, secrecy are main concern for both consumers and cloud providers. IaaS serves as base for other models, if the security in this model is uncertain; it will affect the other models too. This paper delivers a examine the countermeasures and exposures. As a research we project security Assessment and improvement in Iaas layer.

bulk capacities instantly without investing for a Newer Infrastructure, Training, recruiting New staff or to license the software. Cloud Computing depends on IaaS to facilitate cheap and pas-as-you-go power for data storage and other resources which are shared.

Cloud Computing

1.

Introduction

Component as Service (Caas)

The essential models of cloud are namely Software, Platform, and Infrastructure as service in Cloud Computing. Above models are accessed by the customers or consumers by service via Internet, these services are usable as pay-as-you-need, where users can pay only for the resources they use in time. Not like other services as web hosting. The Price varies accordingly with QOS requirements. And the models based on relationship with organization, sorted on Public, Hybrid and Private. Private cloud is mentioned for internal Datacenters in organization but not for general Public. Some of the Emerging and renowned Cloud Computing Platforms are AMAZON, WINDOWS AZURE etc. The mix-up between cloud computing and SOA(Software Oriented Architecture) are considered to be complementary services which share common characters. If SOA is set of rules, principles and Methodologies which are designed to help communication and system integration irrespective of development languages & platforms. Cloud computing is planned for companies to utilize the ISSN: XXXX-XXXX

Platform as Service(Paas)

Infrastructure as service(Iaas) Servers Virtualization

Fig: a) Cloud Delivery Models We looked into security for each IaaS component like: Utility Computing (UC), Service Level Agreement (SLA), Platform Virtualization, Networks and Internet Connectivity, and Computer Hardware.

Volume X, Issue X, Month Year

International Journal of Innovatory research in Science and Management - IJIRSM

2.

IAAS Components

Iaas consists of several components which are developed through the years, but applying them in outsourced and shared environment carry multiple challenges, breaching the security of any of the component will collapse the entire system.

providing the virtualization in computing resources (e.g. CPU, memory, network and storage). Virtualization allows scalability and multi tenancy.

A.

Service level Agreement (SLA).

E. Network and Internet Connectivity
Toob serve availability & performance, cloud infrastructure- spans multiple geographical sites to minimize the response time and the damage of unpredicted disasters. Each site connected locally as LAN is connected with other sites by high speed Internet connections. These sites totally compose the cloud infrastructure which serves remote clients through the Internet. Thus, Cloud leaves both the conventional vulnerabilities of Internet and computer networks.

Cloud Computing goes forth to set of IT management complexities. And using SLA is answer to assure acceptance level of QOS. SLA encompasses contract definition, negotiation, monitoring and enhancement. Contract definition and negotiation stage is very important to understand the benefits and responsibilities for each party. Any mistakes will affect the security and leave the client exposure to vulnerabilities. Monitoring and enforcing SLA is important to build faith among client.

Logical network segmentation: A restrictive
and structured network configuration needs tobeappliedinIaaSenvironmentsalongsidethehypervisorisolationpower.VLANprovides isolated segments to prevent the external VMs from monitoring the internal traffic; for bridges, instance, unicast, broadcast and broadcast traffic on a VLAN segment only to VMs which are provided with virtual interface in the segment. Administrator needs to choose the best connection model, i.e., NAT, Routing or simple bridging between VLANs. Thus, virtual networks avoid wasting unnecessary bandwidth and offermore security and performance. Firewalls implementing: using firewalls we enforce the organization’s security policy by implementing c e r t a i n rules to check the traffic based on source IP address and service port.

B.

Utility Computing

This concept is not new. Its plays a crucial role in grid computing development. It bundles the resource (e.g. Bandwidth, storage etc.). As measured service It reduces the cost in owning resource; client can pay as per the usage and it’s been developed to help the scalable systems. Amazon allows second level method to measure the usages of AWS services and bill according to the prices for user.

C.

Cloud Software

There exist many open sourced cloud software implementations namely: Nimbus, it binds the cloud components together. But can’t ensure the bugs in the software, it provides many software, API to perform the manageable functions.

Traffic encryption: To access the outsourced
infrastructure On clouds, clients need some secure channels to ensure integrity and privacy of transferred data. VPNs provide encrypted tunnel between client and provider using Layer2

Network monitoring: In IaaS model, providers

D.

Platform Virtualization

Virtualization is a basic technology used in cloud services which provides the assembling of much stand-alone system on single platform by

are responsible for monitoring the network to sustain acceptance of QoS. The monitoring process which includes fault detection, malicious activity and troubleshooting. In cloud, Network monitoring is not so simple compared with traditional network because here in cloud is geographically distributed and it depends significantly on the resources sharing. Moreo-

ISSN: XXXX-XXXX

Volume X, Issue X, Month Year

10

International Journal of Innovatory research in Engineering and Technology - IJIRET

ver, cloud infrastructure is a public environment w h i c h contains multiple monitoring records refers to anonymous users.

The first entity is Secure Configuration Policy (SCP) to assure secure configuration for every layer in IaaS software, Hardware, or SLA configurations;

F.

Computer Hardware

IaaS offers an interface to pool of distributed physical resources (e.g., Network Components, Storage Devices and CPU) and delivers shared business model to serve many users. Virtualization, as w e seen previously, it can keep a security of computer resources which are shared and it can control communication on network level and hardware level. Even many private organizations usually move the hardware components to the locked rooms which are accessible only by trusted and authorized persons to protect the resources, a survey showed over 70% of attacks of organizations’ confidential data occurs internally

Computing resources: An attacker can access
the machine physically. Depending on the intention of the attacker, we have many scenarios. First scenario is denying the service by switching off themachineorbyremovinganyof the hardware resources. This is not a common attack, but it can spoil the company’s reputation. Hence, IaaS providers should carefully control the access to the physical resources. Secondscenarioisto steal or corrupt company’s specific data for other companies benefit or own. Fig b) Security Model for Iaas usually, miss-configuration incidents could lead to entire security of the system. These can Secure Resources Management Policy (SRMP) which controls the privileges and management roles. The last entity is Security Policy Monitoring and Auditing (SPMA) which is important to track the system life cycle the restriction policy side specifies level of restriction for security model entities. The level of Restriction starts from loose to tight which depends on the client, provider and the service requirements.

Storage r e s o u r c e s : IaaS providers play
very essential role in protecting t h e clients’ data. Whatever is the level of data security, either it can be part of retired or replaced storage devices. Usually, companies don’t have restricted policy to manage retired devices that could be accidentally given to untrusted people. Every organization is supposed to assure the clients’ data security along with life cycle. Encryption would be a better solution, but it might prevent the accessibility of data to other users.

4.

CONCLUSION

3.

SECURITYMODELFORIAAS

As a result of this research, we proposed a Security Model for an IaaS as a guide for providing and raising security for each layer in IaaS delivery model as shown in Fig.b. SMI model consists three sides security model, restriction level and Iaas component model. The front side of the cubic model is IaaS. The security model includes three vertical entities where each entity covers entire IaaS components.

IaaS is the basic foundation layer of Cloud Computing delivery model which consists of multiple components and technologies. Each component in Cloud infrastructure service has its vulnerability which may create an impact on whole Cloud’s Computing security. In this paper, we tried to investigate the challenges on security which are associated with IaaS implementation and deployment. Based on Our research we tried to propose few solutions for the existing models of IaaS.

ISSN: XXXX-XXXX

Volume X, Issue X, Month Year

11

International Journal of Innovatory research in Science and Management - IJIRSM

IaaS nent

Compo-

Threats/Challenges Solutions SLA monitoring and enforcement in SOA and Web Service Level Agreement (WSLA)framework.

ServiceLevel EnforcingSLA, Monitoring Agreement(SLA) of SLA, and Monitor QoS attributes.

UtilityComputing BillingwithMultiplelevelsofproviders, Measuring On-demandbillingsystemavailability.

Amazon Dev Pay.

CloudSoftware

Attacksagainstwebservices, AttacksagainstXML.

SOAPSecurityExtensions XMLSignatureandXMLEncryption.

Networks&Internet connectivity

DDOS Man-In-The-Middle attack (MITM). IPSpoofing. DNS security and port scanning

IntrusionDetectionSystemandIntrusionPrevention System (IPS). LogicalNetworksegmentationandFirewalls. Trafficencryption. Networkmonitoring.

Virtualization

Securitythreatssourcedfrom host: • Monitoring VMs from host. • VMs modification. Communications between VMs and host.

Securitythreatssourced from VM: • Monitoring VMs from other VM. Communication between VMs. Virtual machines. VMs Provisioning and migration. Mobility • ResourcesDenialof Service

Securitythreatssourcedfromhost: • Terra •Trusted Virtual Datacenter (TVDc) • Mandatory Access Control MAC • Trusted Cloud Computing Platform

Securitythreatssourcedfrom VM: • IPSec. • Encryption. • Xen Security through Disaggregation. •LoBot architecture for secure provisioning & migration VM • VPN.

ComputerHardware

Physicalattacksagainstcomputerhardware. Datasecurityonretiredorreplacedstoragedevices.

Highsecurelockedroomswithmonitoringappliances. Multipartiesaccessibilitytoencryptedstorage. Transparentcryptographicfilesystems. Self-encryptingenterprisetapedriveTS1120.

ISSN: XXXX-XXXX

Volume X, Issue X, Month Year

12

International Journal of Innovatory research in Engineering and Technology - IJIRET

REFERENCES
[1]R.Buyya,C.S.Yeo,andS.Venugopal,“MarketOriented Cloud Computing: Vision, Hype, and Reality for Delivering IT Services asComputingUtilities,”Proceedings ofthe10thIEEEInternational Conference on High Performance Computingand Communications, p.9,August2008.[Online].Available:http://arxiv. org/abs/0808.3558 [2] SLAManagement Team,SLAManagementHandbook,4thed. EnterprisePerspective,2004.

[3] G.Frankova,ServiceLevelAgreements:WebServices andSecurity,ser. LectureNotesinComputerScience. Berlin,Heidelberg:SpringerBerlin Heidelberg,2007,vol.4607. [4] P. Patel, A.Ranabahu, and A.Sheth, “Ser- vice Level Agreement in Cloud Computing,” Cloud WorkshopsatOOPSLA09, 2009.[Online].Available: http://knoesis.wright.edu/aboutus/visitors/summ er2009/PatelReport.pdf [5] D. Nurmi, R. Wolski, C. Grzegorczyk, G. Obertelli, S. Soman, L.Youseff,andD.Zagorodnov, “TheEucalyptusOpen-Source Cloud- ComputingSystem,”ClusterComputing andtheGrid,IEEEInternationalSymposiumon,vol.0,pp.124–131,2009.

ISSN: XXXX-XXXX

Volume X, Issue X, Month Year

13

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master Your Semester with a Special Offer from Scribd & The New York Times

Cancel anytime.