RISK & SECURITY I SSUES IN CLOUD COMPUTING
A Brief Documentary by
Soumyajit Basu
Student Of
SYMBIOSIS
INSTITUTE
OF COMPUTER
STUDIES
AND RESEARCH
(SICSR)
AFFILIATED UNDER
SYMBIOSIS
INTERNATIONAL
UNIVERSITY
(SIU)
1.0 ABSTRACT
Cloud is an emerging technology in today’s
world of providing infrastructure to the growing Information Technology. It is
a step forward to implementing complex business strategies and planning as the
client side does not have to worry about limited resources for the deployment
of their business applications. It is a flexible and scalable information
technology infrastructure to enable business agility. But as proverb say that a
coin has two sides of it so does the cloud. Besides the pros of using this technology
there are cons of it too amongst which a major concern to this field is
security about which the documentary is based upon.
2.0 An Introduction to the Cloud
Cloud computing
has become the new bee in today’s world of computing technology. This
technology was implemented on a large scale since November 1988 when Amazon
launched its first cloud computing instance which is popularly known as the EC2
service which used to provide Infrastructure as a service (IaaS).
It helped in eliminating
the need to purchase huge amounts of software or software licenses for every
employee, reducing the need for advanced hardware eliminating the need for
companies to rent physical space to store servers and database and shifting the
workload from one resource to another. Cloud is the general term that is used
for computing that involves delivering hosted services over the internet. A few
features of cloud that helped its growth in implementing an industry’s
infrastructure were.
·
It
is sold on demand.
·
It
is elastic which means a user can have as much as or little of the service at a
given time.
·
The
services provided by the cloud are fully managed by the provider. These
services include Infrastructure as a service (IaaS) which involves providing
low level services that can be booted with a user-defined hard disk image,
Platform as a Service (PaaS), in PaaS the cloud providers provides an API which
can be used by an application developer to create applications on the provider’s
platform, Software as a Service (SaaS), with Software as a Service the vendor
supplies the software product and interacts with the user through a front-end
portal or a web based application for example Google Docs.
3.0 Risks Involved In Cloud
Prior to the
advantages of using cloud infrastructure there were some known risks which lets
an organization think before migrating its infrastructure and IT management
into the cloud technology. These risks may be detailed as follows.
Protection
Inconsistency
: Due to the decentralized architecture of the cloud infrastructure its’
protection mechanism can be inconsistent among distributed security modules.
Business
Discontinuity
: Since whole of the cloud infrastructure is based on the aspects of
networking, hardware and a large set of applications. Hence discontinuity in
any of the module may lead to the breakdown of the system thereby questioning
the aspect of “availability”.
Supplier
Lock-in
: The platform of a service provider requires some vendor specific hardware and
software application that is needed to be integrated with the client specific
system. Some vendor specific modules or workflows are implemented for
functionality extension and integration. However due to the lack of standard
API’s the portability to migrate to another supplier is not obvious or is a bit
too tough. This predicates the lack of freedom of replacing a service provider
in cloud.
Data
Unreliability
: Data protection includes access to data for confidentiality as well as its
integrity. Cloud service users have concern about how service providers handle
with their data, and whether their data is getting disclosed or illegally
altered. This makes a major differentiator from the business aspect point of
view whether to migrate IT infrastructure onto the cloud.
Hypervisor
Isolation Failure
: The hypervisor is considered as the base technology for cloud infrastructure.
Multiple virtual machines hosted onto the physical server share both the CPU
and memory resources. This causes a failure of isolation between two virtual
machines since it is easier for a virtual machine instance hosted on the
physical server to gain access on the other virtual machine thus causing
exposure of secured data. This may compromise both integrity as well as
confidentiality.
4.0
A Few Security Compromises In Cloud & Its’ Possible Solutions
Although cloud
computing helped many organizations grow their business there were some
drawbacks of it. These may be enlisted as follows.
4.0.1 XML Signature Wrapping Attack
The wrapping attacks
aimed at injecting a faked element into the message structure so that it is
processed by the application logic. As a result an attacker can perform an
arbitrary Web Service request while authenticating a legitimate user. This
attack was first found in the Amazon’s EC2 and S3 services. The flaw was
located in the web services security protocol which tricked the servers in
processing altered digitally signed SOAP messages. So the proposed solution for
this problem was found out by Dr. Jorg Schwenk. He gave a solution of adding an
additional bit called the STAMP bit along with the SOAP header. When the
message reaches the destination the STAMP bit is checked. If the STAMP bit is
changed then the request to generate a new value is generated by the browser
which is send back to the server in order to modify the authenticity checking
where the server checks the STAMP bit.
4.0.2 Malware Injection
Cloud malware
injection attacks refer to a manipulated copy of the victim’s service instance,
uploaded by the attacker to the cloud. So some service request to the victim’s
service is processed within the malicious instance. An attacker can get access
to the user data through this attack. The incidents of this attack include
credential information leakage, user private data leakage and unauthorized
access to cloud resources. Not only that the challenge also lies in the failure
to detect in which node the attacker uploaded the malicious instance.
A
serious case occurred in the United States Treasury Department where it was
detected that a malicious undetected iFrame (Inline Frame) HTML code was
embedded within the website HTML code that caused user’s credential leakage.
Another issue occurred when a rootkit (a malicious application that gets
activated each time the system boots up) was injected within the victim’s
machine that attempted to disable all anti-malware applications within the
system.
A
proposed solution to this problem was to use a FAT (File Allocation Table)
system architecture. The FAT identifies the code or application that the
customer is going to run. It maintains an index of all codes and applications
on the customer’s end that validates by checking the index of the customer’s
currently running instance with the index of the previously deployed instance.
This helps to check the validity and integrity of the new instance. Besides the
FAT a hypervisor will be needed to schedule all the instances but not before
checking the integrity of the instance from the FAT table of the customer’s
virtual machine.
4.0.3 Phishing Attacks
Phishing
is an attempt to access personal information from unsuspecting user through
social engineering techniques. It is commonly achieved by sending links of web
pages in emails or through instant messages. These links looks like legitimate
sites thereby leading a user to it. Phishing attacks can cause leakage of
valuable information such as credit card number, login information. There are
basically two kinds of phishing attacks. Formally a phishing attacker can use
the cloud services to host an attack on the cloud. Secondly the phishing attack
can be done through the traditional social engineering techniques.
In
order to prevent a phishing attack Dropbox has implemented a two-factor
authentication that authenticates an user based on an identity that can only be
known by the user or the characteristic of the identification is with the user.
Two-factor authentication is defined as a user entering in two of the following
three properties to prove his/her identity.
·
Something
the user knows. (e.g. password, pin).
·
Something
the user has (e.g. ATM card).
·
Something
the user is (e.g. biometric characteristic such as fingerprint)
4.0.4 Traffic Flooding
Traffic
Flooding is basically used to bring the network down by flooding the network
with large number of requests. Traffic Flooding attacks occurs when a network
or service becomes so weighed down with packets initiating incomplete
connection requests that the network cannot process genuine connection
requests. Eventually the host’s memory buffer is full leading to a Denial of
Service.
There
occurred an incident with a company called LastPass, a cloud based password
storage and management company which reported that the amount of data retrieved
from the database server were more as compared to the incoming data.
5.0 REFERENCES
Security
Threats in Cloud Computing Environment by Kangchan Lee
Cloud
Computing Security : A Survey by Issa M. Khalil, Abdallah Khreishah and
Muhammad Azeem.
Cloud
Computing Security Case Studies and Research by Chimerre Barron, Huiming Yu and
JustinZhan