Evaluation of security solutions in cloud Computing

Abstract
In the IT security sector cloud computing has raised as new field in computer. It got
attention of many users as its architectures are very unique in security industry. In the
current corporate environments cloud computing is totally a new concept that is
becoming very popular. It becomes popular with web technology when delivered as
service. With respect of time the cloud computing concept spread the industry with two
types of cloud computing: public and private. This report will be based on the evaluation
of solution in cloud computing and also will compares the performance and cost
effectiveness of both private and public of cloud computing. Further more the literature
review will be performed to understand cloud computing and its security issues. At the
end of the literature review a hypothesis is formed, in order to allow the experiment to be
designed and performed to gather results to prove or disprove the hypothesis.

Introduction
The combination of the hardware and software in a data centre is called “cloud.”
Cloud computing is loaded with security risks. Elegant client will ask hard questions and
will think to get a security assessment from a neutral party before performing to a cloud
vendor. Cloud computing has "unique attributes that require risk assessment in areas such
as data integrity, recovery, and privacy, and an evaluation of legal issues in areas such as
e-discovery, regulatory compliance, and auditing.
Security issues in cloud computing have been drawing growing interests in recent times.
There have been a lot of proven security attacks on different cloud computing providers
such as Google (Gmail, App Engine), Amazon Web Services (Amazon S3),
Salesforce.com (Salesforce.com), etc.
Due to the lack of insight in billing and metering the cloud is one of the major challenges
being faced by the IAAS users. Some cloud service providers such as Amazon’s EC2 do
not provide any kind of real time reporting or API for their cloud billing. This may lead
to trust issues which arise when a client doubts whether the computation task provided by
the cloud service was executed completely and correctly or whether the user was billed
 fairly for its service. We have identified various problems arising in metering in cloud
services and present our proposed solutions for each of the problems. Our solutions show
that we are able to resolve each problem with the clients performing considerably less
computations than the server.

There are some popular examples of cloud computing i.e.

• Amazon's EC2 service

• Google App Engine

Types of cloud computing

It is divided into two type’s private and public clouds. Public clouds are capable of being
gotten from different vendors i.e. Amazon.com, Google.com,Oracle.com,Sun.com,
Canonical and many others.

Private cloud technologies, where the cloud software is loaded on local or in-house server
hardware, are available from VMware, Eucalyptus, Citrix, Microsoft, and there are
thousands of vendors offering “cloud solutions” of all sorts. Private and public clouds are
Contingent on one another. Public cloud is put up as a service, commonly over Internet
connection, while private clouds inside the firewall, controlled by the user’s
organization .Both types infrastructure presents very different experiences and potential
to the end user. Users can weigh the computing capabilities of a public cloud to meet
their requirements on-demand and will not require purchasing costly IT hardware.
Scaling the cloud is developed by adding another server and the self-managing
architecture increase the cloud by adding performance and potential.

Background
Cloud computing is a recent evolutionary step of web-based information delivery and
computation. In the past the Internet has served as an infrastructure for applications and
both static and interactive web pages. After which, hosted applications like Google Mail
and Google Docs appeared. As these types of web applications added more user-
configuration, they were renamed Software-as-a-Service (SaaS).

Both public and private cloud platforms are looking to deliver the benefits of cloud
computing to their users. Whether using a private or public cloud, in a business it is
crucial to understand cloud computing requirements and the business needs. The word
cloud computing is a marketing term that is attributed to web-based application and some
communication services.

Discussion
Security based Issues and its Solutions in Cloud Computing
The purpose of the report is to engage the attention to the concerns security issues and its
solutions in cloud computing. Cloud computing is something designed to cover different
situations that covers virtualized operating systems that are running on unrevealed
numbers of physical servers. Cloud computing is an area that is developing more as a
supportive of cloud architectures.The basic areas of cloud weakness are showing
resemblance to the standard issues that cover networking and its applications. In cloud
computing big issue that is related to cloud architectures include network control,exists in
the hands of third parties and capability for sensitive data availability is more to third-
parties as well, both to staff and other clients.Government, industry suppliers, observers
and government officials has been advised by security adviser to launch cloud computing
pilot tests for applications ranging from communications and remote access, to virtual
data centers, analytics/reporting, web portals, collaboration as well as records and case
management.

Cloud computing services, such as Amazon's EC2 and Google Apps, are booming. But
are they secure enough? Growing dependency on cloud computing is same as our
dependency on public transport system. These systems force us to trust on them although
we have no control on them. It restricts us to a limited transportation and submits us to
the authority, rules and time table but that does not apply if we were flying our own
planes. Also it is so economical that means we don’t have any other choice. Customers
must ask for transparency from sellers who snub to detailed information on different
security programs while selling. Customer must ask some questions regarding
qualification of the Policy makers, Architects, Operators; risk-control processes, Coders
and technical mechanisms; and the stage of testing that's been made to validate that
service, and that sellers can identify unexpected vulnerabilities

Some of vulnerabilities in several broad areas are as follow :

 Web application vulnerabilities:-

Web application vulnerabilities involved cross-site scripting and sql injection. These are
because of poor field input validation, default configuration as well as buffer overflow or
some time it happens with mis-configured applications.

 Accessibility vulnerabilities:-

These are the vulnerabilities transferred to the TCP/IP stack and the operating systems.

 Authorizing device or devices:-

Authorizing devices is also an vulnerability in cloud computing. It involved IP spoofing,

RIP attacks, ARP poisoning and DNS poisoning are all also very popular on the Internet.
TCP/IP has some unfixable defects such as trusted machine.

 Data disturbance:-

Data is also disturbed in many ways like data verification, altering, theft and loss. Even if
the data is on a local machine, in transit, at rest or with unknown third-party device or
during remote back-ups process.

 Physical access issues:-

There are two main issues of organization’s staff not having physical access to the
storing machine and processing a data, and other is unknown third parties physical access
to the machines

 Privacy and control issues :-

It has been always a big issue how to stop third parties physical control of a data.

Seven security issues must b raised with sellers before going for cloud vendor.

(1) Privileged user access (2) Regulatory compliance

(3) Data location (4) Data segregation

(5) Recovery (6) Investigative support:

(7) Long-term viability:

1. Privileged user access: Responsive data processed outside the activity brings with it
an inherent stage of risk, because outsourced services avoid the physical, logical and
personnel controls. Collect many information from the people who manage your data. In
such case follow Gartner who says "Ask providers to supply specific information on the
hiring and oversight of privileged administrators, and the controls over their access,”

2. Regulatory compliance: All customers who use data are responsible for the
security and integrity of their own data, even when it is held by a service provider.
Traditional service providers are subjected to external audits and security certifications.
Cloud computing providers who refuse to undergo this scrutiny are "signaling that
customers can only use them for the most trivial functions," according to Gartner.

3. Data location: No one knows where the data is located (country, city) data while
using cloud. For such situation Gartner says “Ask providers if they will commit to storing
and processing data in specific jurisdictions and whether they will make a contractual
commitment to obey local privacy requirements on behalf of their customers”.

4. Data segregation: All the Data in the cloud is usually in a shared environment
beside other customers data. Encryption is helpful but isn't a treatment at all. Gartner
suggests "Find out what is done to segregate data at rest”. Customer should be given
proof by cloud provider that encryption policy were designed and tested by skilled
specialists. For encryption Gartner says "Encryption accidents can make data totally
unusable, and even normal encryption can complicate availability".
5. Recovery: In case users don’t know about data location then it’s the responsibility of
the cloud provider to tell the users about data safety, restoration, time and recovery in
case of disaster.

6. Investigative support: In the cloud computing it is impossible to inquire unlawful

activity. The reason is explained by Gartner, he warns. "Cloud services are especially
difficult to investigate, because logging and data for multiple customers may be co-
located and may also be spread across an ever-changing set of hosts and data centers."

7. Long-term viability: Principally it is hard that cloud computing provider will go

bust or attain and down up by some other larger company. But if such an event happens
then you must be sure that your data will stay even after such incident. On such situation
Gartner says "Ask potential providers how you would get your data back and if it would
be in a format that you could import into a replacement application." So as a customer
you must keep Gartner saying before going to purchase any cloud computing.

Solutions
In this era economic climate favors money-spinning solutions. IT expects to spend much
less in 2011 than in 2009 and 2010 on messaging. Nearly half of respondents expected IT
expenditure to be lesser in 2011 versus 18 percent who made similar projection in
previous year. In the security market cloud-based solutions will make up a growing
percentage of purchases. Comprehensive security solutions will be particularly hot over
the next 12 months. Although the vast majority of enterprises today deal with separate
vendors for their various best-of-breed solutions (71 percent), the number of respondents
preferring a consolidated comprehensive centrally managed messaging security solution
double while individual best of breed solutions dropped significantly (to 33 percent of
respondents

Cloud computing solutions offer several benefits, most notably the scalable and flexible
access to computing resources. However, the increased concentration of business data
and computing power scales security risks as well, requiring special considerations and
care from cloud providers. This paper aims to provide helpful solutions to cloud
providers on the main security risks affecting the clouds.
 The best way to address cloud security, according to NIST officials is, to play close
attention to the following elements when working with cloud services providers:
• Work with the provider to find out its awareness to security and compare the vendor’s
security protection to current stage of security to guarantee the provider is getting parity,
or healthier security levels.
• Assessing risk is paramount. Require cloud computing partners to provide risk
assessments and
Information on how to mitigate uncovered security issues.
• If the provider doesn’t have a tested client-facing CSO, CISO, or equivalent security
professional, proceed with caution. This shows that the vendor is not serious about the
security levels.
• Understand cloud security should be equal to the most dangerous client the provider
supports.
• A cloud provider should be able to map policy and actions to any security command or
security-driven contractual commitment an agency mug.
• Show interest to the vendor’s loyalty to secure coding practices. If the vendor failed to
give you a strong story about discipline for writing code then escape.

Conclusion

There is a possibility that one of the pieces of the frame developing a method to monitor
the cloud’s management software, and another development for separated processing for
particular clients’ applications. After all this discussion an assumption can be made that
whether the virtual machines in the cloud are patched properly would also be a useful
part of the framework. In case people are allowed to run automated patching software
then their behavior can be recorded and monitored.

Bibliography

Source :
1. Web source : <http://www.google.co.uk>,accessed 25/11/2010
 2. Web source :http://www.zdnet.com/blog/greenfield/cloud-computing-security,accessed
25/11/2010

3. Jon Brodkin ,”Gartner seven cloud computing security

risks”,<http://www.infoworld.com/d/security-central>, accessed 25/11/2010.

4. Web source: <http://www.technologyreview.com/computing>,accessed 26/11/2010

5. Web source:<http://josefnankivell.com/computing/public-private-cloud-computing-
evaluation>,accessed 26/11/2010

6. Claburn,Thomas.<http://www.informationweek.com/news/services/saas/showArticle.jht
ml?articleID=221100129>,accessed 26/11/2010.
7. Web source: <http://www.cloudscaling.com>,accessed 26/11/2010
8. "Forecast for 2010: The Rise of Hybrid
Clouds".<http://www.Gigaom.com,accessed>,accessed 27/11/10
9. "Kevin Kelly: A Cloudbook for the Cloud". Kk.org.
<http://www.kk.org/thetechnium/archives/2007/11/>,accessed 27/11/2010
10. Web source:<http://www.readwriteweb.com>,accessed 27/11/2010.