del Rosario, Rheanaliz F.

BSIT 3

CLOUD COMPUTING With the fast-growing trend and improvement in business and computing world nowadays, there are a lot of data and information coming in every hour. And as a result to that, highly maintained data centers with loads of servers, networks and numerous software and applications are needed for the continued operation of small-scaled to large-scaled businesses. Not to mention the added presence of experienced IT experts who will operate, maintain and update these resources from time to time. With this, the cost and effort to spend on this sole section will significantly increase in no time. Undoubtedly, there is indeed a need for change in this kind of system. A new way is considered necessary to continue the operation but in a less costly and more advantageous manner. Cloud Computing or Working in the cloud (About, n.d), as others call it, is the best solution to this kind of circumstance. What is Cloud Computing all about? First and foremost, before defining Cloud Computing, a question must be answered first: What is a Cloud? Others define Cloud as a metaphor for the internet (Youtube, 2009). Internet is one way to get connected to the Cloud. But its not all about the internet. There are just applications and services of the Cloud that are offered on the web. Another is having your local area network connected to the Cloud. It means, having your local computers connect to a remote data center for file storage and others. Cloud computing refers to making different applications, software, information and other resources available for computers and other devices through network connectivity just like the internet. Inside the Cloud are resources being hosted centrally by data centers that are shared by different users, most typically using a web browser in computers or mobile devices over the network. These remote data centers are instantly provided by Cloud Computing providers, and all the user has to do is stay connected to the Cloud to keep its operation running. Using Cloud Computing, data and other resources do not need to be on the users individual computer or mobile devices since everything is already available for access on the Cloud, the internet for instance. Whats with Cloud Computing and why use it? Cloud computing allows consumers and businesses to use applications without installation and access their personal files at any computer with internet access. This technology allows for much

more efficient computing by centralizing storage, memory, processing and bandwidth. (Wikinvest, n.d) Doing business and computing before Cloud Computing has always been complex and costly. Data centers are needed to house all the needed applications and data of these businesses. Expensive servers and licensed software need to be purchased and updated from time to time. Maintenance of these facilities cost the business too much, especially with the IT experts that are to be hired to install, configure, test, run, secure, update and maintain the whole system. Much effort for the companys side is exerted for this. Within just a few years, companies began switching from hardware to cloud services because they were attracted to benefits like a reduction in capital costs as well as an easing in IT staffing issues. (Forbes, 2011) With that, Cloud Computing has been a blessing for these businesses since they do not need to spend too much for their company nor understand the technicalities of the system that delivers the services they use. Another is that Cloud Computing offers a metered service, which means that the clients only pay for what they use. They only get charged for what they are getting from these cloud services whenever they log in using their accounts. Unlike the traditional one which would make you pay for the flat rate even though you have long hours of not using the system. Cloud Computing offers instant application deployment which is available anytime and anywhere, as long as the user is connected to the Cloud. Also, there is no need to install or update anything on the end-users device for the services to work. Everything has been simplified and highly virtualized that life with Cloud Computing has been a lot easier than doing business and computing in the traditional way. Some Cloud Computing Services The simplest thing that a computer does is allow us to store and retrieve information. We can store our family photographs, our favorite songs, or even save movies on it. This is also the most basic service offered by cloud computing.(About, n.d) As mentioned in the previous statements, there are applications and services that Cloud Computing is making available over the internet. From basic office applications installed on our desktop computers like Microsoft office, Cloud Computing has Google Docs for word processing, Preezo for powerpoint presentations to compete with that. Sites that offer web-based email services such as Yahoomail, Gmail, Hotmail and others have made applications with email management as a feature such as Microsoft Outlook look less convenient since it has to be installed to the local computer for it to be used. From simple emails, Cloud computing has explored to having applications that offer VoIP services which has made communication over the internet more interactive such as Skype and Google Voice. Aside from that, Cloud computing also has entered the social networking world which has been undoubtedly popular to the people for the past few

years. Such sites with Cloud computing technology are two of the most popular social networking site, Facebook and Twitter. Also, websites that offer media services that let users upload and view videos, photos and the like such as Youtube, Flickr and Photobucket now also use the Cloud to provide such services to the people. File sharing sites such as the famous torrent site, BitTorrent has also explored cloud computing since that kind of new technology is very beneficial for sites that need stable and reliably large storage memory for their files. SaaS The applications mentioned above are software solutions provided over the internet, called Software-as-a-Service (SaaS). These SaaS applications eliminate the traditional install-and-run applications from our local computers. It gives convenience on both sides: Customer side and provider side. On the customer side, no licensing and installation of applications and software is needed while on the provider side, with just a single application to maintain, the costs are low compared to conventional hosting. IaaS From software, here comes the IaaS or Infrastructure-as-a-Service type of Cloud Computing. With IaaS, computing resources such as the servers, data-center space and network are offered as a service. So, instead of purchasing those resources, clients can now rent them so they dont have to worry about its maintenance. Examples of this are Amazons Elastic Compute Cloud (EC2), Rackspaces Mosso and GoGrids ServePath. PaaS Aside from SaaS, there is also PaaS or Platform-as-a-Service which acts as software and product development tools. With these, users can build new applications or develop existing ones without the cost of purchasing licensed development tools. Some examples of PaaS are: Salesforce.com/s Force.com, Google App Engine and Microsofts Azure. From simple and common applications and services that Cloud Computing power has been continually maintaining and running, there comes the more professional and business-related ones such as Cloud operating systems that are readily available on the Cloud. Among these Cloud Operating Systems are the eyeOS, cloudo, iCube and many more. In these online operating systems, the users will experience the look and feel of the local operating systems that they have on their computers. These online operating systems offer almost every common service that a common operating system that is installed and configured on the local computers has. So, it would look like an operating system within another operating system, but this time, running on a web browser.

Threats and Countermeasures If there are numerous advantages and benefits that people can get from Cloud Computing, then disadvantages and other concerns are also inevitable, since the good and the bad always come hand in hand. Many people does not approve of Cloud Computing no matter how convenient and efficient it is to people. Data Privacy and security are the main concerns of these people that make them doubtful of this technology. Just the thought of handing over and entrusting the confidential and sensitive files and information of the company to others outside it, not to mention, in a remote place no one else knows except the cloud providers, would definitely make any company executive worry over everything. And as an article about the Cloud Computing concerns (howstuffworks, n.d), they cant keep their companys information under the lock and key. The Clouds Multitenant environment is one of the major drawbacks of Cloud Computing. Public cloud components and resources are being shared by cloud subscribers, not to mention that the other subscribers are unknown to them. With that, possible threats in security could never be avoided. The clients hesitation to take advantage of the Cloud is all because of the risks and threats that are attached to it. Some would rather pay for the cost of a local data center than take the risk of losing all of the companys data. Some Cloud Computing threats and security issues are as follows: Abusive Users One would be the abuse and irresponsible use of it. Duvall(2010) has written that some IaaS (Infrastructure-as-a-Service) providers are often not that strict with the sign up process and some would offer free trial. With that, there are possible spammers that do pranks and provide false resources within the service, which makes the cloud, contain unreliable resources. Countermeasure The providers must also be stricter with the registration process. This way, they will have more valid clients and lesser hackers and abusers. They should also impose a strict validation process among the registrants. The providers must also monitor that unusual activities of the users registered in their service. Malicious Insiders Another threat within the Cloud environment is the malicious insiders that could be capable of accessing confidential data and gain control over the cloud services because of a

low level of access control in the network. Since every client of a certain cloud provider shares the same remote data center, the fear for infiltration by other users or hackers is inevitable. Different activities can be done against the data on the cloud, such as fraud, exploitation, falsification and many more. Countermeasure To ensure privacy and prevent illegitimate users from accessing data, authentication techniques need to be applied to the services. A form of authentication technique is using user names and passwords when logging in. With this, unauthorized and illegitimate users cannot look into the files and no data will be compromised. The Cloud Computing providers should be strict in providing privileges to hteir employees for managing the cloud services. Administrators transactions should also be transparent so any security breach could be more visible. Eavesdropping and Interruption Eavesdropping and interruption of data in transit can also be one of the threats when using Cloud Computing technology. Eavesdropping means that the privacy and confidentiality of the data to be sent to the cloud will be compromised. There is also a possibility wherein the data sent will not be received by the cloud due to some interruption during its transit. Countermeasure Since there are possibilities of interruption and eavesdropping of data while in transit, cloud should have a security measure for it. A common and well-known data protection technique can be used which is the encryption of data both in rest and in transit. Private Clouds arent really PRIVATE Private Clouds or also known as internal cloud or corporate clouds, are clouds that provide hosted services to limited number of clients behind a firewall (Anon.,2008), if not dedicated for use by a specific company. It is unlike the public clouds wherein every client is connected to it and shares the same resources. The resources in Private clouds are shared within the same company that owns it. It is said that Private clouds are in-demand for those companies who want or need more control over their data than they can get by using Public clouds which are third-party hosted service. But, an article about threats in Cloud Computing (Vance, 2011) mentioned that Private clouds arent really private. It is said that

many so-called private clouds are also hosted by third-parties, which mean that there are still possibilities for intrusion and illegitimate access. Countermeasure For private clouds that are hosted by third-parties all the necessary and possible countermeasures and protection schemes must be applied. Those private clouds who are internal clouds, or those hosted by the company itself, the company must be more vigilant for inside attacks and also apply necessary countermeasures. XML Signature Element Wrapping Most typically, clients connect to Cloud Computing through a web browser or web service (WS). Therefore, attacks that affect the web service would also affect cloud computing. XML Signature Element Wrapping (Jamil and Zaki, 2011) is another security issue in Cloud Computing which is a known attack for web services. Although different measures such as XML signature protect the data from illegitimate parties, the positions in the document are not included in the protection. With XML Signature Element Wrapping, the web service can be tricked to process malicious messages created by it. Countermeasure The possible countermeasure that can be done to prevent XML Signature Element Wrapping attacks on the system is to use a combination of WS-Security with XML Signature to sign particular element and digital certificated such as X.509 issued by trusted Certificate Authorities (CAs) (Jamil and Zaki, 2011). In addition, the web service server side should create a list of elements that is used in the system and reject any message which contains unexpected messages from clients Cloud Malware Injection Attack Being able to upload or save files and other resources into the cloud is one of the most basic features of Cloud Computing. Another threat with regards to injection of files has been mentioned by Jamil and Zaki (2011). It is the Cloud Malware Injection Attack. This kind of attack attempts to inject a malicious application or file into the cloud. Since the cloud already has anti-malware security programmed in its system, the attacker must create his own malware that could bypass the security of the cloud so that the system would treat it as a valid or safe input. These malwares could be viruses, Trojans and other harmful applications that would not only affect the remote data servers of the cloud, but also the

clients local computers if they happen to retrieve these malwares and run them on their machines. Countermeasure There is a possible countermeasure for Cloud Malware Injection Attack. Performing a service instance integrity check for incoming requests could do the trick in preventing Cloud Malware Injection Attack into the Cloud system. This integrity check for incoming requests uses hash values that the original service instance must match with the new service instance that the attacker is sending. Security countermeasures, no matter how or in what way it will protect the Cloud system, it must be able to validate legitimate user inputs, require user authentication, impose authorization and firewall policies, and make sure that the data whether it be at rest or in transit, will not be securely encrypted. Flooding Attacks One of the features of Cloud system is its capability to provide scalable resources. It is very advantageous when clients are sending numerous requests to the cloud since the system automatically scales up to support the clients requisite. But it could also be advantageous since it is very vulnerable for flooding attacks using large number of nonsense requests to the service. When the system receives the flood requests, it automatically scales up to provide more service instances to cope with the workload of the requests sent. So if this kind of attack goes on, the resources might all be consumed and nothing will be left for the real requests. Countermeasure Flood attacks of nonsense requests may eat up all the resources of the Cloud system which may lead to its being unable to provide the necessary services to the normal and real requests from the users. To prevent such disaster, installing a firewall or intrusion detection system (IDS) (Jamil and Zaki, 2011) will be able to filter malicious requests from attacking the server. Though IDS will not be able to completely prevent those attacks and may sometimes be erroneous like giving false alerts or considering normal requests as intrusive requests, it is still considered better than not having IDS at all the accepting the risk of using up all of the cloud systems resources.

As what Shinder (2011) wrote in his article about Cloud Security, Security is not about the type of cloud (Public, Private), but it is about its implementation on the cloud itself, to make it secured from illegitimate users and possible attackers. Each security implementation will have different security architecture, design and controls (Shindrer,2011). With the threats mentioned in the previous statements, companies subscribing to Cloud Computing services need to believe that the data and confidential information about their business are well-protected from threats. Otherwise, these companies would lose their trust and eventually unsubscribe from those services. To be able to keep their reputation, Cloud computing providers need to employ every possible technique to protect their clients data. Even though these cloud computing providers leave the clients the assurance of security and protection of their data, some clients would still not take the risk. Therefore, the Cloud Computing providers must put more effort in securing the data sent to these clouds.

Impact of Security Mechanisms on Legitimate Users On the previous sections, security threats in Cloud Computing are mentioned and discussed, and also its possible countermeasures and prevention procedures. With countermeasures that are done on the provider or server side, it has minimal impact on the end-users side since everything is done on the back-end of the system. The user does not need to do anything to take part on those procedures. But not all preventive measures are done on the back-end. There are common countermeasures and security procedures that the users need to go through to be able to do something on the system. An example of this is the captcha. Captcha is a program that generates and grade tests that only humans can pass but computer programs cannot (Google,n.d). This may be in the form of copying the random text provided or answering common questions that only human can answer. Captcha often prompts when the user is about to perform a secured transaction, so to be able to confirm that the user is really a human and not computer-programmed, captcha generates those tests. This is used to tell human and computers apart. This procedure is a good thing for the Cloud system since it can somehow secure the data to be accessed, yet for the enduser, it can be irritating and annoying especially when there are certain instances when the user is unable to answer the captcha correctly, it keeps on prompting for another until the user gets the correct one. It may be time-consuming for the legitimate users of the system. There are also instances when the user is about to do different transactions during his session. Thus, he will be prompted with captcha tests every time he tries to commit a transaction. So instead of doing those transactions in the shortest possible time, the user will take a longer time because of the captcha, which is definitely not advantageous. There are also systems that would make the user input his user password for him to continue to the next action or phase of the transaction. Like Facebook, Twitter or other sites, they would require the user to input his password whenever he tries to edit some customizations in his account settings or any other secured transaction. This may be a good countermeasure for the

system to protect falsification of user data, but for the user, it may not be good because it will cause him some delay in his transaction since verification of the password will take a couple of seconds depending on how responsive the system is. Other than passwords and captcha, there is another countermeasure that the user must be able to do and pass to be able to do his transaction, and that is email confirmation. Whenever a user signs up for any account on the internet, may it be for social networking, media, or forum site, he will be asked to input his email address since the site will be sending an email confirmation link to validate the users registration to the website. As mentioned, the confirmation link will be sent electronically and the user will have to click the link and it will redirect the user to the homepage of the website he signed up for. This kind of cumbersome process may be bothersome to the users. Also, valid registrants might have more problems for registering in the cloud computing network because of these countermeasures. Moreover, there are instances that the users of the cloud are not that knowledgeable of its environment. Their lack of knowledge of these countermeasures could trigger to user lock in. There could be situations wherein the user will have to answer a security question to authenticate his account and be able to continue in his transaction. This security question could be the one asked when he first registered in the system. The users answer must match the one he answered during his registration. There is a possibility that the user might be confused with it and answer incorrectly, thus the system will recognize him as an illegitimate user and forbid him to continue with the operation he was supposed to do. A much secured network could mean a much annoying authentication for users since they will have to provide more data for accessing their accounts. But other than negative impacts of these security countermeasures to legitimate users of the system, it is more important that the clients will feel secured because of those countermeasures. Clients will trust the provider more and thus, making them feel comfortable in using the cloud.

References: Melani Pinola,n.d. What is Cloud Computing? [online] Available at: <http://mobileoffice.about.com/od/workingontheroad/f/cloudcomputing.htm> [Accessed 15 January 2012]. Dave Cleaveland,n.d. Cloud Computing [Online] Available at <http://www.wikinvest.com/concept/Cloud_Computing> [Accessed 16 January 2012].

Daniel Nations,n.d What is Cloud Computing? [online] Available at: <http://webtrends.about.com/od/enterprise20/a/cloud-computing.htm> [Accessed 16 January 2012].

Ana Cantu, 2011 The History and Future of Cloud Computing [online] Available at: < http://www.forbes.com/sites/dell/2011/12/20/the-history-and-future-of-cloud-computing/> [Accessed 16 January 2012]. Gigafide, 2009 Basic Cloud Computing [video online] Available at: <http://www.youtube.com/watch?v=8RMWO9JxZjA> [Accessed 15 January 2012]; Jonathan Strickland, n.d. How Cloud Computing Works [online] Available at: <http://computer.howstuffworks.com/cloud-computing/cloud-computing3.htm> [Accessed 14 January 2012] Mel Duvall, 2010 What Are The Top Cloud Computing Threats? [online] Available at: <http://www.information-management.com/news/top-cloud-computing-security-threats-100172831.html> [Accessed 16 January 2012] Danish Jamil et al.,2011.Security Issues in Cloud Computing and Countermeasures [online] Available at: < http://www.ijest.info/docs/IJEST11-03-04-235.pdf> [Accessed 18, January 2012] Searchcloudcomputing, 2008. What is private cloud? [online] Available at: <http://searchcloudcomputing.techtarget.com/definition/private-cloud> [Accessed 18, January 2012] Microsoft. 2011. Cloud Security Overview. [online] Available at: <
http://social.technet.microsoft.com/wiki/contents/articles/cloud-securityoverview.aspx> [Accessed 19. January, 2012]