Security and Privacy Issues in Cloud Computing

Anyway Chare (N01521922Q)

National University of Science and Technology, Bulawayo, Zimbabwe

Abstract
Cloud computing has transformed a large part of the IT industry, making software even more
attractive as a service and shaping the way IT hardware is designed and purchased. It extends
information technologys existing capacity and adds capabilities to existing IT infrastructure
without investing in new infrastructure, training new personnel, or licensing new software. Cloud
Service Providers (CSP) take advantage of virtualization technologies, combined with selfservice capabilities, to access to computing resources via the internet. However, the network
security and privacy of the computer system resources is a cause for concern for cloud
computing users, when it comes to conducting business on the public cloud and putting sensitive
data in the hands of third party entities. This paper identifies security and privacy concerns
arising in cloud computing environment and outline solutions to privacy and security concerns as
data resources move from on-premise storage to public cloud environments.
Keywords: Cloud Computing, network security and integrity, virtualization

1. Introduction
Information Communication Technology (ICT) has become an everyday part of modern day
business. In recent years, cloud computing has emerged from being just a business concept to
one of the fastest growing sector of the information technology industry. It has seen more and
more businesses realizing that by tapping into the cloud they can benefit from the abundant
business applications or significantly enhance their infrastructure resources at very minimal cost.
However, as more and more information on individuals and companies is passed onto the cloud,
concerns have grown about the safety of the cloud environment.

Cloud computing is a technological concept in which IT operations are extended to consumers as

services and accessed remotely anytime with an internet connection. The U.S National Institute
of Standards and Technology describes the cloud computing architecture as having the following
attributes:
i. Elasticity: The ability to scale up or down, as workload resource needs increase or
decrease
ii. Resource Pooling: The computing resources are shared to serve multiple consumers
using multi-tenant model, with different physical and virtual resources dynamically
assigned according to consumer demand
iii. On-demand self-service: A consumer can unilaterally provision computing
capabilities, server time and network storage automatically without requiring human
interaction with this service provider.
iv. Connectivity: the ability to connect to the cloud from anywhere and anytime.
Capabilities are available over the network and accessed through standard mechanisms
(e.g. Laptops, Mobile phones, etc.)
v. Measured Service: pay-as-you-go billing.
2. Security in cloud computing
2.1 Security in cloud computing is likely to become increasingly complex because there will now
be a number of data resources that are under one business control and they will also be
interoperating with those that are not under the business control. This gives rise to security
concerns as follows:
i. User is not aware how cloud services are provided.
ii. There is no delimitation of the network security border
iii. Cloud computing implies loss of control of data resources.
iv. Risk of compromise of confidential information and intellectual property

2.2 The deployment model of cloud computing describes how the cloud is located. It defines the
scope in which the services are located. There are four cloud computing deployment models:
i. Private Cloud this is solely for an organization
ii. Public Cloud this is for the general public
iii. Community Cloud for shared concerns
iv. Hybrid Cloud composition of two or more clouds
2.3 What is Computer Security and Privacy?
It is the protection afforded to an automated information system in order to attain the objectives
of preserving the integrity, availability and confidentiality of information system resources.
Cloud computing service providers should protect the assured collection, processing,
communication, use and disposition of personal information in the cloud. Concerns about cloud
security and privacy often make users and enterprises to be cautious with their sensitive and
critical data.
2.4.1 Data Security
One of the most significant problems is data security in the field of cloud computing. In the
cloud computing environment, important data, files and records are entrusted to a third party,
which enables data security to become the main security issue of cloud computing. For example,
Googles customer information leaked out in 2009. More than 70 percent of the Chief Technical
Officers (CTOs) think of not using cloud computing. (Gartner, 2009). They attribute this
primarily to the problem of data security in the cloud.
2.4.2 Data Storage Security
There are several problems about data storage security. First of all, cloud computing is not just a
third party of database, so traditional solution of database security cannot be adopted directly.
Secondly cryptographic method cannot be adopted. Using such methods to guarantee cloud data
security, customers will lose control of cloud data. Therefore, the verification of correct data
storage must be conducted in the cloud without explicit knowledge of cloud data. Also, cloud

computing is managed by data centers running in a cooperated, simultaneous and distributed

manner, so distributed protocols play the key role in achieving a secure cloud data storage
system.
2.4.3 Security Attacks in the Cloud
i. Denial of Service (DOS) attacks: Some security professionals have argued that the cloud is
more vulnerable to DoS attacks, because it is shared by many users, which makes DoS attacks
much more damaging.
ii. Side Channel attacks: An attacker could attempt to compromise the cloud by placing a
malicious virtual machine in close proximity to a target cloud server and then launching a side
channel attack.
iii. Authentication attacks: Authentication is a weak point in hosted and virtual services and is
frequently targeted. The mechanisms used to secure the authentication process and the methods
used are a frequent target of attackers.
iv. Man-in-the-middle cryptographic attacks: This attack is carried out when an attacker places
himself between two users. Anytime attackers can place themselves in the communications path
there is the possibility that they can intercept and modify communications.
2.4.4 Network Security
Cloud computing is implemented in a networked IT infrastructure. It can never be ignored that
security on the network poses great worry to cloud users. Many network security issues exist
some of which are as follows:
i. Network penetration and packet analysis
ii. Session management weaknesses
iii. Insecure SSL trust configuration
Whilst the above form the core of the issues to do with cloud security, there are other security
issues that can be significant in cloud computing such as web application security. The web

applications being used to access resources in the cloud may be a subject of attack or may
become the weak link in the security of the cloud.
3. Best Practice for Businesses in the Cloud Environment
i. Inquire about exception monitoring systems
ii. Be vigilant around updates and making sure that staff doesn't suddenly gain access privileges
they're not supposed to.
iii. Ask where the data is kept and inquire as to the details of data protection laws in the relevant
jurisdictions.
iv. Seek an independent security audit of the host
v. Find out which third parties the company deals with and whether they are able to access your
data
vi. Be careful to develop good policies around passwords; how they are created, protected and
changed.
vii. Look into availability guarantees and penalties.
viii. Find out whether the cloud provider will accommodate your own security policies

4. Recommendations
The following outlines distinct security technologies that can be deployed as software on virtual
machines to increase protection and maintain compliance integrity of servers and applications as
virtual resources move from on-premise to public cloud environment.
4.1 Firewall
It is important to remember that private cloud means that the entire cloud infrastructure
belongs to one organization and is not shared with any other organization. This is in direct
contrast to a public cloud, wherein multiple organizations can share the pooled resources that are

provided by the cloud service provider. However, just because the private cloud is dedicated to a
single organization, that does not mean there are not going to be multiple business units that do
not necessarily want other business units to see their data. There is privacy from the outside
world, and then there is privacy within the organization. Therefore, there is need to set up
security zones or perimeters around some of the business units that used the shared, pooled
resources in a private cloud.
There will be different approaches used to segregate one tenants traffic from anothers. In a
simple private cloud deployment, two networks may be set up: one for the cloud infrastructure
itself and one for the tenants. Then it is left to the tenants to take care of network security and
isolation within that network. That is one option, but as a private cloud operator, there is also the
option of providing value added services to the consumers of the cloud service, and one of those
value added services might very well be enhanced network security.
4.2 Intrusion Detection and Prevention
Techniques for detecting and preventing intrusions can be adapted to different layers or
components of an information system: from the network layer (network IDS/IPS) to the
operating system layer (host IDS), or even application or middleware layers (database IDS,
firewall). You can implement IDS functions from any application-generated log/information:
analyzing Apache server logs to detect intrusion or discovery attempts is a kind of IDS.
Pooling resources among cloud users and simultaneously using common resources are
fundamental traits of cloud computing. A cloud customer can use the same network access,
machines and storage systems as other clients, with virtualization and isolation technologies
making the whole process transparent.
In the physical world, setting up an IDS/IPS depends on the physical environment: a network
link or access, one or more physical servers, a platform, etc. With a cloud environment,
everything is virtual and immaterial. Customers looking to protect their virtual machines (VMs)
have to look at the problem differently. One of the classic questions is how to monitor traffic
between two localized VMs on the same hypervisor. Even if each customer activates a VM
equipped with IPS/ IDS, theres still the challenge of managing it.

All traffic is carried on secure VLANs, passing through a firewall to access other cloud VLANs
or physical networks. Firewall technology also provides intelligent threat defense with identitybased access control and denial-of-service-attack protection.
4.3 Integrity Monitoring
File integrity services monitor both file and configuration integrity looking at raw file contents,
permissions, registry settings, and security settings. It is impartment to maintain back-up data
both on and off-site onsite to accommodate rapid recovery of recent data as well as long term
off-site storage.
4.4 Log Inspection
With sophisticated log aggregation and event correlation, quickly and efficiently identifies and
resolves potential security threats. Log inspection collects and analyzes operating system and
application logs for security events. Log inspection rules optimize the identification of important
security events buried in multiple log entries. These events can be sent to a stand-alone security
system, but contribute to maximum visibility when forwarded to a Security Information and
Event Management (SIEM) system or centralized logging server for correlation, reporting and
achieving. Like integrity monitoring, log inspection capabilities must be applied at the virtual
machine level. Log inspection software on cloud resources enables:
i. Suspicious behavior detection
ii. Collection of security related administrative actions
iii. Optimized collection of security events across your data center

5. Future Research Issues

Today, the cloud is a reality for millions of consumers all over the world. However, there is still
work to be done to facilitate its use, instill confidence in its intended capabilities, address users
security and privacy concerns, and encourage innovation. The following are the research issues
related to cloud computing security:

i. How to secure the cloud while maintaining availability?

ii. How to provide secure key assignment scheme for cloud users?
iii. How to make browser secure against various types of attacks?
iv. It would be desirable to add XML Encryption and XML Signature functionality to the
browser.
v. How to develop secure API for cloud users?
vi. How should be careful about the security concerns while putting our business on Cloud?
vii. There are open research challenges in cloud computing security which demand intensive
research
viii. The security model should be provably secure Security as a Service should be provided to
the cloud users.

6. Conclusion
More than being a technology, cloud is a new model of IT service delivery. There are lots of
challenges for research about the issues related to the security in cloud computing. Security as a
service should be provided to the cloud users as a way of ensuring the safety of their resources
and increasing their faith in the technology.

REFERENCES
Computer Society of India, CSI Communications Monthly Magazine for Knowledge Digest
for IT Community; Jan, 2016, Mumbai, www.csi-india.org
Department of Electronics and Information Technology (Deity), Government of Indias GI
Cloud (Meghraj) Strategic Direction Paper, April 2013. www.deity.gov.in
Institute of Electrical and Electronics Engineers IEEE cloud computing Quarterly Magazine;
May 2014. http://cloudcomputing.ieee.org/
Jaydip Sen, Security and Privacy Issues, Available at https://books.google.co.zw/books?
hl=en&lr=&id=OOKWBQAAQBAJ&oi=fnd&pg=PA1&dq=security+and+privacy+issues+in+cl
oud+computing&ots=ViIhHod6Ft&sig=e5005XvHmrSnzoc4lgHRa1hR8&redir_esc=y#v=onepage&q=security%20and%20privacy%20issues%20in
%20cloud%20computing&f=false? (Accessed: 25 February 2016)
J. Brodkin, Loss of Customer Data Spurs Closure of Online Storage Service 'The Linkup,' Network
World, August 11, 2008, http://www.networkworld.com/news/ 2008/081108-linkup-failure.html?page=1

National Informatics Centre Informatics, An e-Governance publication from NIC, Vol.22, No.
4, April, 2014, New Delhi www.informatics.nic.in
Palvia, P., Palvia, S. and Whitworth, J. (2001), Global information technology: a meta
analysis of key issues, Information & Management.
Sharma, A., & Gupta, S. (2011). A few useful considerations in the development of intra-day
trading software: comparing indian intra-day trading software with foreign software. ACM
SIGSOFT Software Engineering Notes, 36(4), 1-5
US NIST SP 500-291, NIST Cloud Computing Standards roadmap V 1.0, July, 2011
www.csrc.nist.gov/