Sie sind auf Seite 1von 8

International Journal on Recent and Innovation Trends in Computing and Communication ISSN: 2321-8169

Volume: 5 Issue: 6 236 243


_______________________________________________________________________________________________
An Exploration of Security Issues in Cloud Environment
Tharani P Kalpana A M
Computer Science and Engineering Computer Science and Engineering
Government College of Engineering Government College of Engineering
Salem, India Salem, India
e-mail: tharanisiva05@gmail.com e-mail: kalpana.gce@gmail.com

Abstract Data security is the significant aspects for most businesses and even home computer users. Client information, payment information,
personal files, bank account details are hard to replace and potentially dangerous if it falls into the wrong hands. Data lost due to disasters such
as a flood or fire is crushing, but losing it to hackers or a malware infection can have much greater consequences. This also leads high cost to
retrieve back to the original form. Now-a-days many start-up organizations and growing organizations are thinking about reduction of their IT
infrastructure, network and software cost by means of Cloud technology. Cloud Computing provides different services like infrastructure,
platform, applications etc. as utility services over internet which opens the new door to think in different way to meet the business challenges of
IT industries. Security of critical data and systems in the Cloud remains a key barrier to adoption of Cloud services. Since the data centers could
be positioned in any part of the world beyond the control of users, security and privacy are multifarious disputes that need to be understood and
addressed. Various issues related to security need to be addressed in the Cloud Computing environment. The aim of this paper is to focus up an
analysis of Cloud Computing security issues and also the faces of numerous unresolved issues.

Keywords- Cloud Computing, Mobile Cloud Computing, Network Level Security, Application level security

__________________________________________________*****_________________________________________________

I. INTRODUCTION The Platform as a Service (PaaS) layer is the middle layer that
Internet is an innovative technology where all kinds of provides platform-oriented services, in addition to provide
information avail. On the contrary, it is one of the most users with applications. Software as a service (SaaS) is the top
important parts that play a vital role in Cloud Computing. In layer that has the complete application that is offered as a
recent years, Cloud Computing has witnessed a huge service to the demand. It eliminates the need to install and run
transform in standard towards acceptance and it has become a an application on a client's local computer, which will ease the
trend in the information technology space. It provides customer's burden in maintaining the software.
significantly reduce costs and new business potential of its Despite the above-mentioned service models, Cloud services
users and providers. Cloud Computing is one kind of platform can be deployed in four ways depending on customers' needs:
which provides Cloud usage to their users. It permits an access
to data and resources from anyplace at any time. But the Public Cloud: A Cloud infrastructure is provided to
condition is only that there is an internet access to that many customers basically the internet and is handled
particular used of Cloud Computing. by a third party. M any enterprises can work on the
Cloud Computing is an emerging trend to deploy and maintain infrastructure provided, at the same time. Users can
software and is being adopted by the industries such as dynamically provision resources through the internet
Google, IBM, Microsoft and Amazon .The Cloud is defined as from an off-site service provider. Wastage of
a model for web access on demand to share configurable resources is checked as the users pay for whatever they
computing resources such as networks, servers, storage use.
devices and services that can be provisioned quickly and Private Cloud: Cloud infrastructure, made available only
released with the minimum management effort or service to a definite client and administer either by the
provider interaction. In such an environment users need not organization itself or third party service provider. This
own the infrastructure for the various computer services. It uses the concept of virtualization of machines and is a
integrates features to support high scalability and multi- proprietary network.
tenancy, offering enhanced flexibility compared to the existing Community Cloud: Organization shares same
methodologies. It can develop, dispense or transfer resources infrastructure for multiple causes and may be managed
with dynamism and capability to incessantly examine the by them or a third party service provider.
performance. Moving critical applications and sensitive data to Hybrid Cloud: A hybrid of two or more Cloud
Public Cloud environment is of great concern for the distributed models, connected in a way that data
corporations that are moving beyond their data centers transfer takes place between them without affecting
network under their control [1]. each other.

II. CLOUD CHARACTERISTICS AND TECHNIQUES


Cloud characteristics can be categorized based on the services
and deployment models. As Cloud consists of various types of
services the three services are considered to be more important
such as IaaS, PaaS and SaaS. The Infrastructure Service (IaaS)
is the lowest layer that provides basic infrastructure services.
236
IJRITCC | June 2017, Available @ http://www.ijritcc.org
_______________________________________________________________________________________
International Journal on Recent and Innovation Trends in Computing and Communication ISSN: 2321-8169
Volume: 5 Issue: 6 236 243
_______________________________________________________________________________________________
III. MOBILE CLOUD COMPUTING applications are located in the Cloud. In order to avoid this,
robust virus scanning and malware protection software are
With the advent of the highly developed resource like 3G, 4G,
desired to be installed to avoid any kind of malware attacks
Wi-Fi, Wi-Max a new approach to the Cloud Computing has
into the mobile system. It can also be prevented by
emerged and it is known as "Mobile Cloud Computing
implementing protection scheme for authorized user and thus
(MCC)". The data processing in Cloud can be accessed using
an unauthorized user can easily be detected.
the mobile technology through the mobile device. Mobile client
are connected with base transceiver station to access the mobile IV. TECHNIQUES THAT PROMOTE CLOUD COMPUTING
network services. The mobile client utilizes mobile network
services to communicate with Cloud through the internet [2] is A. Virtualization
shown in Figure 1.It is becoming a modern trend and many The concept towards such a huge rise in Cloud Computing in
organizations want to provide their employees with access to the modern era remains underlies. The concept is intended to
the office network via a mobile device remotely. provide an environment capable of producing all the services
that computer-assisted devices support end-users.
Virtualization technology makes Cloud environment easier to
manage all the resources. It increases the security of Cloud
Computing by protecting both the integrity on guest virtual
machines and Cloud component virtualized machine.
Virtualization introduces the ability to migrate virtual
machines between physical servers for fault tolerance, load
balancing or maintenance [3].
B. Web Service and SOA
Web Services provide services online Using XML
Technologies, Web Services Description Language (WSDL),
Simple Object Access Protocol (SOAP) and Universal
Description, Discovery and Integration (UDDI). The Cloud
Figure 1. Mobile Cloud Computing
hosting service is managed in the form of Service Oriented
Most of the organizations had looked intently the trend of Architecture (SOA) and therefore SOA defined as a number of
providing their office with Cloud access through the mobile. services that use a specific task.
Apart from it, the viewpoint of MCC, Cloud Computing is C. Application Programming Interface (API)
unlike several additional challenges that require to be Without APIs it is complicated to imagine the survival of a
addressed to enable MCC reach their maximum potential: Cloud information system. The whole Cloud service packages
Network Usage- Internet is the key aspect towards the depends on application interfaces and facilitate them to be set
development of Cloud Computing and without the up and configured based on the API class used.
network (Internet) access will not be probable to access
and use limited Cloud applications available that can be D. Web 2.0 / Mash-up
used. Web 2.0 is defined as a technology that allows generating web
Observation of Network Dynamic and Scalability- pages and gives users the chance to interrelate and join forces
Applications that run on mobile phones in Cloud with a user-created virtual community [4, 5]. It allows the use
Computing platform should be smart enough to adapt to of World Wide Web technology in a more original and
the abilities of various network and also they should be collaborative platform [6]. Mash-up is a web application that
accessible through multiple platforms without suffering combines more than one source data into a single integrated
any loss data. media.
Confidential Cloud-based mobile data-Sensitive data on
mobile phones can be maintained using Cloud- based Many service providers to offer services to the customers with
mobile technology. The root-level access to Cloud an effortless virtual environment that meets all the
services and easily access information can be stolen from requirements. The most important of these are Amazon-EC2,
mobile device. The system administrator may afford (Elastic Compute Cloud), S3 (Simple Storage Service), Simple
direct and computerized access to extremely confidential Queue Service (SQS), CF (Cloud Front), Proof Point, Right
information. Scale, Salesforce.com, Work day, Sun Microsystems, etc. and
Access control and identity management- The main each of them is classified either into three main classifications
participation of Cloud Computing is virtualization, and based on their Cloud structure: private, public, and hybrid.
thus it is needed for user authentication. Since data may The Cloud Computing solutions grew considerably and the
be linked with different users are stored in a single security issues have become more sophisticated and circulated.
hypervisor, a distinction essential measures to overcome The opportunity of cyber-attacks will also increase as when
the potential weakness and flaws in hypervisor platform. the demand-driven application usage increases. Individual
users often have to provide online information about their
A security challenge in mobile Cloud Computing environment identification and invader can use them in identity theft. In
is somewhat different when compared to the challenges of the order to maintain a wide range of security and privacy issues,
above mentioned network. The hackers can damage the such as confidentiality, operational integrity, disaster recovery
237
IJRITCC | June 2017, Available @ http://www.ijritcc.org
_______________________________________________________________________________________
International Journal on Recent and Innovation Trends in Computing and Communication ISSN: 2321-8169
Volume: 5 Issue: 6 236 243
_______________________________________________________________________________________________
and identity management, the following systems should be The record usage patterns over time can be compared to the
respected, at least to ensure data security to some extent: expected use patterns already provided by the tenants and in
An encryption system that secures protection case of deviations can be detected as unauthorized access.
measures in a highly disturbing environment. With vulnerabilities and security holes in most modern OSs,
Providers should be given restricted access to the attacks can be done to gain control of the host OS.
data, only to manage them without being able to Since the hypervisor is simply a layer running on top of the
observe the data correctly. host OS and once the attacker has control of the host OS, the
Tight access control prevents unauthorized and illegal hypervisor is essentially compromised. Thus, the
access to network-managed servers. administrative privileges of the hypervisor will enable the
Back up data and unnecessary data storage to ensure attacker to perform any malicious activities on any of the VMs
seamless information retrieval when infrastructure hosted by the hypervisor. This propagation of attacks from the
fails. hosted OS to the hypervisor then to the VMs is shown in
Maintain decentralized identity management and user Figure 2. Security Concern with Cloud hypervisor largely rests
security by using either Lightweight Directory on the concept of virtualization. In life virtualized, a
Protocols or published application interfaces to hypervisor defined as controller popularly known as the
connect to identity systems. manager of a virtual machine (VMM) that allows multiple
operating systems to be run on the system at the time, the
Cloud Computing alliance did research in 2013 on Cloud resources for each operating system such as they do not
Computing security threats and identified these threats. Traffic interfere with each other.
Hijacking, Insecure Interface and APIs, Denial of Service, As the number of operating systems that run on lifting
Malicious Insiders, Abuse of Cloud Services, Insufficient Due hardware unit involves the security issues. Because that would
Diligence, Shared Technology Vulnerabilities, Data Breaches, have multiple operating systems running on a single hardware
Unknown Risk Profile, Perimeter Security Model Broken [7]. platform, can keep track of all such systems and thus to
maintaining the security of the operating system difficult. It
V. VIRTUALIZATION may happen that a guest system tries to run malicious code on
Virtualization, in computing, is the creation of a virtual (rather the host system and to bring the system down or complete
than actual) version of something, such as a hardware control of the system and access to other guest operating
platform, operating system, a storage device or network systems are blocked.
resources. Virtualization can be viewed as part of an overall If a hacker is able to gain control over the hypervisor, it can
trend in enterprise IT that includes autonomic computing a make changes to any of the guest operating system and get
scenario in which the IT environment will be able to manage control over all data passing through the hypervisor. Different
itself based on perceived activity and utility computing. Hence varieties of attacks sent by targeting different components of
the computer processing power is seen as a utility that clients the hypervisor. Based on the understanding of how the
can pay for only as needed. The usual goal of virtualization is different components in the architecture hypervisor behave,
to centralize administrative tasks while improving scalability system can protect Cloud promote development by monitoring
and workloads. the activities of the guest VMs (Virtual Machines) and inter-
Accordingly, there is a need to ensure security against threats communication among the components of the various
virtual should also be maintained by adopting methodologies infrastructure.
such as: checking the virtual machines connected to the host VI. CLASSIFIED AND SECURE
system and constantly monitoring their activity, to ensure that
computers host to avoid compromising or modifying a file The success of any technology is based on the level of security
when the virtual machines online, attacks aimed to take it provides. Whether the data residing in the Cloud is protected
control of virtual machines elsewhere on the host or the so as to avoid any kind of security violation or it is safer to
network etc. It is assumed that the virtual machines in a Cloud store data in the Cloud away from personal computers or hard
Computing environment in usage patterns used to detect drives? The Cloud service providers persist that their servers
intrusions by abnormal use. and the data stored in them are with enough protection from
any form of attack and theft. There were cases when security
after the attack and the whole system has been down for hours.
As a minimum half a dozen of security break happened in the
past years giving out the inherent limitations of the security
model of the large Cloud service Providers (CSPs).
In the case of Public Cloud Computing multiple security issues
that need to be addressed in comparison of Private Cloud
Computing. The security of the Cloud depends on the
performance of the objects as well as the connections between
them. As the number of users increases in the multi-tenant
shared environment security risks gets tougher and more
diverse. Based on this idea, different security architectures,
such as: secure component model is addressing the problem to
Figure 2. Attack on Hypervisor through Host OS
ensure a mash-up applications and Cloud-based entropy

238
IJRITCC | June 2017, Available @ http://www.ijritcc.org
_______________________________________________________________________________________
International Journal on Recent and Innovation Trends in Computing and Communication ISSN: 2321-8169
Volume: 5 Issue: 6 236 243
_______________________________________________________________________________________________
security framework focused on service mash-ups and extracts the user input control for SQL suspected
recommended [8, 9]. sequences.
Cross Site Scripting (XSS) attacks is a malicious scripts
VII. INTEROPERABILITY AND INFORMATION STORAGE injected into Web content has become quite popular since the
PROTECTION IN CLOUD inception of Web 2.0. There are two ways to inject the
The Cloud providers may vary with the organizations change malicious code into the web page displayed to the user: stored
and have been instances when companies use their data and and reflected XSS. In XSS stored, the malicious code stored
applications move to another Cloud platform preference over permanently integrated into the resource managed by the web
the existing one. Such a situation is termed as Lock-in refers to application and the attack actually out at the request of the
the dispute face by the Cloud customers and needs to wander victim page dynamically made for the content of this resource.
from one Cloud provider to another. More often, it is seen that However, in the case of reflected XSS, the attack script not
the Cloud provider change engages a variety of risks and could permanently stored and in fact it is immediately reflected back
break down a system if it not appropriately executed. Moving to the user.
information between the Cloud providers does not fit the On the type of services provided, can a website be classified as
format of data as needed. This will necessitate extra attempt to static or dynamic? Static websites dont experience security
be set in order to make sure that the data is kept controlled in a threats and the dynamic websites suffers because of its
set-up that suits the new application to ensure no data loss is in dynamism in multi-service delivery times for users. As a
the process. result, the websites get offended as dynamic XSS attacks. It is
Added to this few companies use different Cloud platforms for often experimental that amidst functioning or surfing internet,
different applications based on their needs and the services read some Web pages or pop ups open up the request be
provided by the CSPs. In some cases, different Cloud clicking away to watch their content. More often either
platforms are used for specific applications or with different unknowingly (because of the potential hazards) or from users'
platforms to interact with that particular task. There are curiosity click on the links that is dangerous and thus gets the
internal organizational infrastructures necessary for the third party intruding control over the user's private information
balance to deal with interoperability between different Cloud or their account hack after the knowledge available
platforms maintain. The risk of outsourced services going information. Various techniques such as: Active Content
from high discipline in hybrid public and Private Cloud Filtering, Content Based Data Leakage Prevention
environment. The users really have no idea of where their Technology, a Web Application Vulnerability Detection
information is stored. Normally, user data is stored in a shared Technology already recommended preventing XSS attacks.
environment along-with other user data. The issue arises These technologies take different methods to detect security
between security handling which is important in such cases. flaws and fix them.
Cloud service providers give the option to store as many Another class of attacks, SaaS quite popular, termed as Man in
service types. They take data from users and stored in large the Middle attacks. In such an attack, by entity hinder in the
data centers, therefore, available to users of storage means. ongoing dialogue between sender and client to inject false
Different Cloud service providers to adopt various information and that information on the key data transfer
technologies to the data stored in the Cloud protection. All between them. Various tools implement strong encryption
data is being properly encrypted for security, and key technologies such as: Dsniff, Cain, Ettercap, Wsniff, Airjack
management becomes a difficult task in such cases. etc. have been developed to provide protection.
Encryption algorithms play an important role in data security There are most common attacks occurred in Network Level
on Cloud [10].Due to the nature of Cloud storage, virtualized and Application Level of Cloud Security.
traditional mechanisms is unsuitable to deal with the security
A. Network Level Security
issues. These service providers use different encryption
techniques, such as: public key encryption and private key Networks are classified into different types such as: shared and
encryption to the data stored in the Cloud. A similar technique not shared networks, both public and private, small area or a
is used to provide security for stored data using the large area and all of them have some security threats to deal
verification of homomorphic signal distribution of data with. While considering the level of network security, it is
erasure-coding. important to distinguish between public and Private Clouds.
Almost all of the organizations that established private
VIII. COMMON ATTACKS AFFECTING THE CLOUD- RISKS network in place and hence the network topology for private
AND SOLUTIONS Cloud gets defined. However, in the case of Public Cloud
A SQL injection attack is a kind in which malicious code is implementation, the topology may need to change to the
inserted into a standard SQL code. Therefore the attackers get security features implemented and need the following points to
unauthorized access to the database and are able to access be addressed:
sensitive information. Sometimes the hacker input data is Confidentiality and Integrity must transfer the data over
misunderstood by the website as user data and allows access to public acceptance of Cloud architecture.
the SQL server and this allows the attacker to know the Ensure proper access controls inside the Cloud.
performance of the website. Various techniques such as:
avoiding the use of dynamically generated SQL in the code, The most common issues relating to comprise network level
using screening techniques to sanitize user input etc. are used security: DNS attacks, Sniffer, issuing IP reuse, Denial of
to check the SQL injection attacks. A proxy-based architecture Service (DoS) and Distributed Denial of Service attacks
toward preventing SQL injection attacks dynamically detects (DDoS), BGP Prefix Hijacking.
239
IJRITCC | June 2017, Available @ http://www.ijritcc.org
_______________________________________________________________________________________
International Journal on Recent and Innovation Trends in Computing and Communication ISSN: 2321-8169
Volume: 5 Issue: 6 236 243
_______________________________________________________________________________________________
A.1 DNS attacks service becomes available to the authorized user. Sometimes
Domain Name Server (DNS) makes the conversion of a when try to access the site it is found that server is overloaded
domain name to an IP address as the domain names are easier with requests and observation error. This happens when this
to remember. But there are cases when being called by name number of applications that can be handled by server capacity.
server, the user has to go some other malicious Cloud rather The occurrence increases the bandwidth consumption DoS
than the expected website. DNS like: Domain Name System attack besides causing traffic congestion, making some parts
Security Extensions (DNSSEC) reduces the effect of threats of the Clouds inaccessible to users. The use of intrusion
DNS but still there are cases when creating the security detection system (IDS) is the most common means of defense
measures to be inadequate when receiving the path between against this type of attacks [12]. Every Cloud is loaded with
sender and receiver rerouted through some malicious link. It unique IDS. The different intrusion detection systems work on
may happen that even after the DNS security measures are the basis of information exchange. Where Cloud under attack,
taken and the preferred routes between the sender and receiver IDS alerts the entire system. Traditional IDS/IPS techniques
security problems are noted. such as Signature based detection, anomaly detection,
Artificial Intelligence based detection etc., can be used for
A.2 Sniffer Attacks Cloud.
These types of attacks launched applications that can capture
network packets flowing in and if the data is being transferred A.6 Distributed Denial of Service Attack (DDoS)
by the encrypted packets, it can be read. Chances are that DDoS can be called an advanced version of DOS in denying
necessary information flowing across the network to track or the important services running on a server by flooding the
captured. Sniffer program ensures, through the NIC (Network destination with a large number of packets and the server is
Interface Card) is the data / traffic related to other systems on not able to handle goal. It is empowered to control the flow of
the network also gets recorded. It can be attained by placing information by allowing some information is available at
the NIC in promiscuous form and it can track all data flowing certain times of the attackers. So the amount and type of
on the same network. Platform can detect malicious Sniffing information available for public use clearly controlled the
based on ARP (address resolution protocol) and RTT (round attacker. DDoS attack is run by three functional units:
trip time) which are used to detect sniffing system run on a Teacher, His slave and His Victims. Master is to be the
network [11]. launcher attack behind all the causes DDoS attacks, the
network is a slave to act as a launching pad for the Master. It
A.3 Release IP addresses to use again provides the platform for the Master to launch the attack on
Each node has a network IP address and the number of IP the Victim. DDoS is a large scale coordinated attack on the
addresses that can be assigned limited. A large number of the availability of service of a target system or network bandwidth
cases to re-use IP-address issue recently noted. When a user [13].
moves from a particular network, then the IP-address of the DDoS attack is basically operating in two stages: the first one
(earlier) assigned to new users. This sometimes risks the being in phase where the Master tries to compromise machines
security of the new user as a certain time lag between the to support in flooding. The other is to install DDoS attack
change of the IP address in DNS and clearing caches DNS tools and the target server or machine. Accordingly, the results
address in. Sometimes even though the IP address old being of DDoS attack is to make the service available to authorized
assigned to a new user is still the possibility to access the data users similar to how it is done in DOS attack but different
by the user else is not negligible as the address remains in from how it is launched. There was a similar case of
cache DNS and the details of certain user can be accessible to Distributed Denial of Service attack a web CNN news
other users share violating the privacy of the user earlier. channel, leaving the majority of users unable to access the site
for a period of three hours. IDS are used in the virtual machine
A.4 BGP Prefix Hijacking proposed in to protect the Cloud from DDoS attacks. A good
Prefix Hijacking is a type of network attack in which incorrect Snort intrusion detection mechanism loaded on the virtual
notification of the IP addresses of autonomous system (AS) machine for sniffing all traffic, either incoming or outgoing.
made. Accordingly, malicious parties get access to the IP The IDS helps in early detection and prevention of DDoS
addresses untraceable. On the internet, a space-related IP attack in the Cloud environment with more computational time
blocks and is still controlled by the AS. Autonomous systems [14].Another method that is commonly used to protect against
can broadcast information relating IP regime and all its DDoS intrusion detection systems are the physical machines in
neighbors. The AS communicates using the Border Gateway which the user's virtual machines. The scheme was shown to
Protocol model (BGP). Sometimes, due to some error, faulty do reasonably well in Eucalyptus Cloud.
AS broadcast may incorrectly because the IPs associated with.
B. Application Level Security
In such a case, the traffic gets something actually goes than the
proposed IP. Accordingly, the data is leaked or reach some Application level security refers to the use of software and
other unintended destination. A security system for hardware resources to provide security. For such applications
autonomous systems is defined in. the attackers are not able to control the applications to find and
make desired changes to the format. Now-a-days, attacks are
A.5 Denial of Service Attack (DoS) launched, being disguised as a trusted user and the system
DoS attack is to try the services assigned to the availability of considering them as a trusted user, allows full access to the
authorized users. In such an attack, the server is a service party gets attacked and victimized. The reason behind this that
which flooded a large number of applications and therefore the enables the network level security policies is outdated but the
240
IJRITCC | June 2017, Available @ http://www.ijritcc.org
_______________________________________________________________________________________
International Journal on Recent and Innovation Trends in Computing and Communication ISSN: 2321-8169
Volume: 5 Issue: 6 236 243
_______________________________________________________________________________________________
authorized users to access the specific IP address. With the CAPTCHA, provided by the Hotmail email service providers.
advancement of technology, security policies are obsolete as They make use of the audio system able to read the
there have been instances when system security infringed, CAPTCHA characters and visually impaired users to use
have access to the system in disguise. With the recent speech to text conversion software to defeat the trial.
technological advancements, it is quite possible to replicate a CAPTCHA design fabric is safe based on the identity
user data completely reliable and corrupt without being problems of numerous moving objects in complex
noticed. Hence, it is essential to install a higher level of backgrounds. Single frame design principles proposed
security checks to minimize those risks. The traditional CAPTCHA zero knowledge, will be able to resist any attack
methods for dealing with security issues were increased to method of static optical character recognition (OCR). Such a
develop task-oriented ASIC device that can handle a specific design will be captchas have proven to be resistant to attacks
task, providing higher levels of security with high launched by means of intercepting picture identification or
performance. But with application-level threats are dynamic intercepting each video frame to acknowledge the individual
and adapt to security checks in place, the closed systems have CAPTCHA.
been observed to be slow compared to the open ended
systems. B.5 Dictionary Attack
The closed system capabilities, as well as open ended system Can data security in Cloud Computing environment being
adaptability incorporated to develop the security platform compromised by a dictionary or brute force attack to
based on Check Point Open Performance Architecture using complete? In a dictionary attack, the intruder is liable for all
Intel Xeon Quad Core processors. Even in the virtual the possible word combinations could be successfully used to
environment, companies like VMware etc. using Intel decrypt the data residing in / flowing over the network. They
Virtualization technology for better performance and security can be avoided by using challenge-response systems. In the
base. It has been observed that more often have websites protocol, the client presents a challenge when it tries to access
sponsored by the network level and has strong security a network. It is then necessary to calculate the answer to the
measures, but may have security loopholes on application same and respond back to the server in order to be able to
level access information which may allow unauthorized users. access the network. The calculation of security response
On the application level threats to the security of XSS attacks, consuming process avoid the users to be able to launch brute
Cookie poisoning, Hidden field manipulation, SQL injection force or dictionary attacks in a short period of time and thus
attacks, DoS attacks, Trojan and Debug options, breaking ensure against the same time.
CAPTCHA, Dictionary attack, Google Hacking etc., arises
from unauthorized use of applications. B.6 Google Hacking
Google has emerged as the best option for finding details of
B.1 Cookie Poisoning anything on the internet. Google hacking refers to using
It involves change or modifies the contents of cookies that Google search engine to find sensitive information that a
unauthorized access to an application or a web-page. Cookies hacker can use to benefit the user and account hacking. In
are basically the user credentials of the identity and once the general, hackers try to get out of the difficult security
cookies are accessible, the content of the cookies forged loopholes there out of Google because of the system they want
imitation of authorized user. This can be avoided by to hack. After the necessary information is collected, they
performing regular cleaning or cookie data encryption scheme. make hacking the system in question. In some cases, a hacker
is not sure of the goal and instead he tries to find out the target,
B.2 Hidden Field Manipulation using Google, based on the loophole to hack the system. The
There are certain areas that are hidden and the related hacker then search all the possible systems such loophole and
information pages are basically used by developers. Self, the finds out those whose exits wants to hack on. Google hacking
areas are very prone to attacks by hackers because they can be events observed recently when it was stolen login details of
easily changed and available on the web-page. This could lead Gmail users different group of hackers. In order to avoid
to severe security breaches. these threats, security implementation should be assessed at
various levels of the three Cloud service delivery models:
B.3 Backdoor and Debugging Options IaaS, PaaS and SaaS.
It is common practice by the developers to enable the debug
option and published on the website. This enables them to The comparative analysis of various existing methods,
make changes in the code developed and implemented to get strength and its limitations such as Information Storage
the website. Since debug options facilitates the back-end entry Security, User Identification, Trustworthiness, Pseudo Defense
to the developers, and sometimes the left debug options Reputation, Secured Virtualized Mechanism are given in
enabled unnoticed, this may leads to the hacker to get easy Table I.
entry into the internet site and change the level of the web site
to provide.

B.4 CAPTCHA Breaking


Developed CAPTCHAs in order to prevent the use of internet
resources by bots or computers. They use spam and network
resources to prevent overexploitation to bots. But recently, it
has been found that the spammers are able to break the
241
IJRITCC | June 2017, Available @ http://www.ijritcc.org
_______________________________________________________________________________________
International Journal on Recent and Innovation Trends in Computing and Communication ISSN: 2321-8169
Volume: 5 Issue: 6 236 243
_______________________________________________________________________________________________
TABLE I. COMPARATIVE ANALYSIS OF THE EXISTING SECURITY METHODS STRENGTHS AND ITS LIMITATIONS

Methods Implied Methods Strength Limitations


of
Security
Information Verification of the distributed symbol Dynamic operations such as data The security is considered for dynamic
Storage erase data encoded with homomorphic blocks to update delete and add without data storage. However, these issues to be
Security uses in order to ensure the security corruption and data loss. Data effective a fine grained location data error.
and location of the data storage server against modification and server, as well
being attacked. as attacks against failures in Byzantine
collusion.

Identification of The scheme uses the active bundles, The third party needs not reliable Active bundle cannot execute at all by the
users in Cloud through its encrypted data and (TTP) for the approval or verification host of the service requested. It would
Computing computing predicates multiparty of user identity. Thus the user's identity leave the system vulnerable. The identity
authentication. is not disclosed. TTP is free and can be is secret and it is not the user permission
used for other purposes such as of requests.
decryption.

Trustworthy Specific domain providers and users, Helps customers prevent malicious Security on a very large scale in the
model towards each with a special trust agent. providers and avoid collaborating Clouds is an active issue. The current
interoperability Various strategies for trust service serving malicious users. system can handle only a limited amount
and security in providers and customers. Factors in of security threats in a fairly small
cross Cloud the assignment time for trust account environment.
transactions.

Pseudo Defense Uses DHT-based hierarchy overlay Widespread use of secure Cloud The model proposed in its stage of
Reputation based networks; specific tasks are performed development and additional simulations
trust by each layer. Lowest layer deals are required for performance.
management reputation colludes aggregation and
Highest layer deals with various
attacks.

Making of a Cloud Protection Advanced system Virtualized network security is prone to Gets little degraded system performance
secured (ACPs) to ensure the security of guest various types of attacks can be sent to and small performance penalty
virtualized virtual machines and the proposed the guest VM. ACPs system monitors encountered.
mechanism distributed computing middleware. the guest VM without being noticed
Operation of the components can use any suspicious activity.
for Cloud monitoring and logging
periodically checking system
executable files.

throughout their life. Data must be protected during the


IX. THREATS IN THE CLOUD ORGANIZATIONAL MODELS
various stages of creation, sharing, archiving, processing,
Amongst the three ways in which services can be deployed etc. However, the situations more complicated in the case
Cloud has its own advantages and limitations. In terms of of Public Cloud do not have any control security practices
security, all three got some areas that need to be addressed of the service provider.
with specific strategies to get rid of.
In case of Public cloud, the same infrastructure shared
A. Security issues and measures in a Public Cloud between different tenants and tenants are very high
As far as the Public Cloud is concerned, there are many chances between data leakage. However, most of the
customers have shared platform and security infrastructure service providers run multiple tenant infrastructure. The
provided by the service provider. Some of the key security investigations must appropriate at the time to select the
issues in the Public Cloud are: service provider in order to make such a risk to avoid.
In the event that uses a Service Provider, Cloud third
The three basic security requirement must ensure the party vendor to its Cloud services ensure what service
confidentiality, integrity and availability of data protection level agreements are in between as well as what are the
242
IJRITCC | June 2017, Available @ http://www.ijritcc.org
_______________________________________________________________________________________
International Journal on Recent and Innovation Trends in Computing and Communication ISSN: 2321-8169
Volume: 5 Issue: 6 236 243
_______________________________________________________________________________________________
contingency plans in case of breakdown third party application level. In order to keep the Cloud secure, security
system. threats must be controlled. Moreover data residing in the
SLA defining the security requirements that must be what Cloud is prone to a number of threats and also various issues
level of data encryption, when it is sent over the internet such as: the confidentiality and integrity of data include
and what are the penalties in case of failure of the service buying services from a service provider. The service provider
provider to do so. must audit the Cloud services provided to the users at regular
intervals and protect against external threats. Also, service
B. Threats for security in a Private Cloud providers must ensure that SLAs are met in all Cloud services
Private Cloud model offers the customer has full control over and human errors are minimized by enabling smooth
the network and gives the customer the flexibility to apply and operation. In this paper various security concerns related to the
practice any traditional network perimeter security. While the basic services provided by Cloud Computing environment and
security architecture is more reliable in a Private Cloud, but the solutions considered to prevent them were discussed.
there are issues / risks that need to be considered:
Virtualization techniques are quite common in Private REFERENCES
Clouds. In such cases, the risks should be carefully
[1] Keiko Hashizume,David G Rosado,Eduardo Fernandez-
analyzed by the hypervisor. There were cases when a
Medina and Eduardo B Fernandez, An Analysis of Security
guest operating system processes runs on host or other Issues for Cloud Computing,Journal of Internet Services and
guest VMs. In a virtual environment, it may happen that Applications, 2013.
the VMs including all virtual machines to communicate [2] Abdul Nasir Khan,M.L.Mat Kiah,Samee U.Khan,Sajjad
with other VMs. It also need to ensure that A.Madani, Towards Secure Mobile Cloud Computing:A
communication takes place with proper authentication and Survey,Future Generation Computer Systems,pp:1278-
1299,2013.
encryption techniques such as IPSec [IP Security level]
[3] T.Swathi,K.Srikanth ,S.Raghunath Reddy, Virtualization in
etc. Cloud Computing, International Journal of Computer
The host operating system free from any type of malware Science and Mobile Computing,Vol.3,Issue.5,pp.540-
threat and risk monitoring of any such to avoid. In 546,May,2014.
addition, there should be a guest virtual machines able to [4] Amy Shuen, Web 2.0: A Strategy Guide: Business thinking
make contact with the host operating system. There and strategies behind successful Web 2.0 implementations,
should be a dedicated physical interfaces to communicate O'Reilly Media; 1st edition; Apr 30, 2008.
[5] Sam Murugesan, Understanding Web 2.0, IEEE
with the host. Computer Society, pp. 34-41. July-Aug, 2007.
In a Private Cloud, users are able to facilitate the choice to [6] Antero Taivalsaari, Mashware: The Future of Web
manage parts of the Cloud and access to infrastructure is Applications, Technical Report, Feb 2009.
available via a web interface or HTTP end point. There [7] Rajani Sharma,Rajender Kumar Trivedi, Literature
are two ways to implement a web-interface, either by Review:Cloud Computing-Security Issues,Solutions and
writing or by using a stack Applicative standard and the Technologies, International Journal of Engineering
Research,Volume No.3,Issue No.4,pp 221-225,2014.
whole application to develop the web interface using the [8] David Chappel, A Short Introduction to Cloud Platforms: An
languages commonly such as Java, PHP, Python, etc. In a Enterprise Oriented View, David Chappel and Associates,
nutshell, standard interfaces must be developed properly August, 2008.
and need deploy web application security techniques to [9] Qi Zhang, Lu Cheng, Raouf Boutaba, Cloud Computing:
protect the various HTTP requests being made. State of the art and research challenges, Journal of Internet
In quality internet security, it must also have a security Services and Applications, vol. 1, issue. 1, pp. 7- 18, Feb,
2010.
policy in place for the attacks that come from the system
[10] Rachan Arora,Anshu Parashar, Secure User Data in Cloud
within the organization are protected. The crucial point is Computing Using Encryption Algorithms, International
missed out on most of the occasions, the most stressful of Journal of Engineering Research, Vol.3,Issue.4,pp.1922-
internet security. Security and control guidelines across 1926,Jul-aug 2013.
various departments should be properly implemented by [11] Neha Khandelwal,Chetan Kumar, Security in Cloud:
the needs. Attacks & Prevention Techniques, International Journal of
Latest Trends in Engineering and
Technology,Vol.5,Issue.1,Jan 2015.
The hybrid Cloud model is the mix of public and private
[12] Chi-Chun Lo, Chun-Chieh Huang, Joy Ku, A Cooperative
Cloud and thus on the security issues discussed both are Intrusion Detection System Framework for Cloud Computing
applicable to it. Networks, ICPPW 10 Proceedings of the 2010 39th
International Conference on Parallel Processing Workshops,
X. CONCLUSION IEEE Computer Society, pp. 280-284, Washington DC, USA,
Cloud Computing is viewed as one of the most promising 2010.
technologies in computing today, inherently able to address a [13] Nagaraju kilari,Dr.R.Sridaran, An Overview of DDoS Attack
number of issues. Improved connectivity and integrating in Cloud Environment, International Journal of Advanced
Cloud cross wherein different models provide better Networking Applications,ISSN No:0975-0290.
infrastructure for possible data migration possible options. [14] Vidhya.V, A Review of DoS Attack in Cloud
While Cloud Computing has revolutionized the computer Computing,IOSR Journal of Computer
world, it is prone to several security threats from network to Engineering,Vol.16,Issue.5,pp:32-35,Sep-Oct 2014.

243
IJRITCC | June 2017, Available @ http://www.ijritcc.org
_______________________________________________________________________________________

Das könnte Ihnen auch gefallen