Sunday 3 August 2014







RISK & SECURITY I SSUES IN CLOUD COMPUTING

A Brief Documentary by

Soumyajit Basu

Student Of

SYMBIOSIS INSTITUTE OF COMPUTER STUDIES AND RESEARCH (SICSR)

AFFILIATED UNDER

SYMBIOSIS INTERNATIONAL UNIVERSITY (SIU)

1.0   ABSTRACT
           
Cloud is an emerging technology in today’s world of providing infrastructure to the growing Information Technology. It is a step forward to implementing complex business strategies and planning as the client side does not have to worry about limited resources for the deployment of their business applications. It is a flexible and scalable information technology infrastructure to enable business agility. But as proverb say that a coin has two sides of it so does the cloud. Besides the pros of using this technology there are cons of it too amongst which a major concern to this field is security about which the documentary is based upon.         

2.0   An Introduction to the Cloud
 
Cloud computing has become the new bee in today’s world of computing technology. This technology was implemented on a large scale since November 1988 when Amazon launched its first cloud computing instance which is popularly known as the EC2 service which used to provide Infrastructure as a service (IaaS).
It helped in eliminating the need to purchase huge amounts of software or software licenses for every employee, reducing the need for advanced hardware eliminating the need for companies to rent physical space to store servers and database and shifting the workload from one resource to another. Cloud is the general term that is used for computing that involves delivering hosted services over the internet. A few features of cloud that helped its growth in implementing an industry’s infrastructure were.
·         It is sold on demand.
·         It is elastic which means a user can have as much as or little of the service at a given time.
·         The services provided by the cloud are fully managed by the provider. These services include Infrastructure as a service (IaaS) which involves providing low level services that can be booted with a user-defined hard disk image, Platform as a Service (PaaS), in PaaS the cloud providers provides an API which can be used by an application developer to create applications on the provider’s platform, Software as a Service (SaaS), with Software as a Service the vendor supplies the software product and interacts with the user through a front-end portal or a web based application for example Google Docs.

3.0   Risks Involved In Cloud
 
        Prior to the advantages of using cloud infrastructure there were some known risks which lets an organization think before migrating its infrastructure and IT management into the cloud technology. These risks may be detailed as follows.

Protection Inconsistency : Due to the decentralized architecture of the cloud infrastructure its’ protection mechanism can be inconsistent among distributed security modules.

Business Discontinuity : Since whole of the cloud infrastructure is based on the aspects of networking, hardware and a large set of applications. Hence discontinuity in any of the module may lead to the breakdown of the system thereby questioning the aspect of “availability”.

Supplier Lock-in : The platform of a service provider requires some vendor specific hardware and software application that is needed to be integrated with the client specific system. Some vendor specific modules or workflows are implemented for functionality extension and integration. However due to the lack of standard API’s the portability to migrate to another supplier is not obvious or is a bit too tough. This predicates the lack of freedom of replacing a service provider in cloud.

Data Unreliability : Data protection includes access to data for confidentiality as well as its integrity. Cloud service users have concern about how service providers handle with their data, and whether their data is getting disclosed or illegally altered. This makes a major differentiator from the business aspect point of view whether to migrate IT infrastructure onto the cloud.

Hypervisor Isolation Failure : The hypervisor is considered as the base technology for cloud infrastructure. Multiple virtual machines hosted onto the physical server share both the CPU and memory resources. This causes a failure of isolation between two virtual machines since it is easier for a virtual machine instance hosted on the physical server to gain access on the other virtual machine thus causing exposure of secured data. This may compromise both integrity as well as confidentiality.    

4.0 A Few Security Compromises In Cloud & Its’ Possible Solutions
 
        Although cloud computing helped many organizations grow their business there were some drawbacks of it. These may be enlisted as follows.

4.0.1 XML Signature Wrapping Attack
        The wrapping attacks aimed at injecting a faked element into the message structure so that it is processed by the application logic. As a result an attacker can perform an arbitrary Web Service request while authenticating a legitimate user. This attack was first found in the Amazon’s EC2 and S3 services. The flaw was located in the web services security protocol which tricked the servers in processing altered digitally signed SOAP messages. So the proposed solution for this problem was found out by Dr. Jorg Schwenk. He gave a solution of adding an additional bit called the STAMP bit along with the SOAP header. When the message reaches the destination the STAMP bit is checked. If the STAMP bit is changed then the request to generate a new value is generated by the browser which is send back to the server in order to modify the authenticity checking where the server checks the STAMP bit.

4.0.2 Malware Injection
        Cloud malware injection attacks refer to a manipulated copy of the victim’s service instance, uploaded by the attacker to the cloud. So some service request to the victim’s service is processed within the malicious instance. An attacker can get access to the user data through this attack. The incidents of this attack include credential information leakage, user private data leakage and unauthorized access to cloud resources. Not only that the challenge also lies in the failure to detect in which node the attacker uploaded the malicious instance.
            A serious case occurred in the United States Treasury Department where it was detected that a malicious undetected iFrame (Inline Frame) HTML code was embedded within the website HTML code that caused user’s credential leakage. Another issue occurred when a rootkit (a malicious application that gets activated each time the system boots up) was injected within the victim’s machine that attempted to disable all anti-malware applications within the system.
            A proposed solution to this problem was to use a FAT (File Allocation Table) system architecture. The FAT identifies the code or application that the customer is going to run. It maintains an index of all codes and applications on the customer’s end that validates by checking the index of the customer’s currently running instance with the index of the previously deployed instance. This helps to check the validity and integrity of the new instance. Besides the FAT a hypervisor will be needed to schedule all the instances but not before checking the integrity of the instance from the FAT table of the customer’s virtual machine.

4.0.3 Phishing Attacks
            Phishing is an attempt to access personal information from unsuspecting user through social engineering techniques. It is commonly achieved by sending links of web pages in emails or through instant messages. These links looks like legitimate sites thereby leading a user to it. Phishing attacks can cause leakage of valuable information such as credit card number, login information. There are basically two kinds of phishing attacks. Formally a phishing attacker can use the cloud services to host an attack on the cloud. Secondly the phishing attack can be done through the traditional social engineering techniques.
            In order to prevent a phishing attack Dropbox has implemented a two-factor authentication that authenticates an user based on an identity that can only be known by the user or the characteristic of the identification is with the user. Two-factor authentication is defined as a user entering in two of the following three properties to prove his/her identity.
·         Something the user knows. (e.g. password, pin).
·         Something the user has (e.g. ATM card).
·         Something the user is (e.g. biometric characteristic such as fingerprint)

4.0.4 Traffic Flooding
            Traffic Flooding is basically used to bring the network down by flooding the network with large number of requests. Traffic Flooding attacks occurs when a network or service becomes so weighed down with packets initiating incomplete connection requests that the network cannot process genuine connection requests. Eventually the host’s memory buffer is full leading to a Denial of Service.
            There occurred an incident with a company called LastPass, a cloud based password storage and management company which reported that the amount of data retrieved from the database server were more as compared to the incoming data.

5.0   REFERENCES
           
Security Threats in Cloud Computing Environment by Kangchan Lee

Cloud Computing Security : A Survey by Issa M. Khalil, Abdallah Khreishah and Muhammad Azeem.

Cloud Computing Security Case Studies and Research by Chimerre Barron, Huiming Yu and JustinZhan