SECURITY ISSUES IN CLOUD COMPUTING

By: Varun Agarwal

Outline
Cloud Computing Security Major Concern Physical Layer Security Network Level Security Management level Security General Issues

Cloud Computing

Cloud computing is the delivery of computing as a service rather than a product, whereby shared resources, software, and information are provided to computers and other devices as a utility over a network. Cloud computing providers deliver applications via the internet, which are accessed from a web browser, while the business software and data are stored on servers at a remote location.

Benefits of Cloud Computing :

Minimized Capital expenditure Location and Device independence Utilization and efficiency improvement Very high Scalability High Computing power

Why Security is Important???

Security concerns arising because both customer data and program are residing in Provider Premises. Security is always a major concern in Open System Architectures

Customer Data
Customer Customer Code Provider Premises

Dangers and Vulnerabilities

Security is to save data and program from danger and vulnerability Dangers

Theft of Information. Loss of Privacy. Damage information. Vulnerabilities

Hostile Program. Hostile people giving instructions to good programs. Bad guys corrupting or eavesdropping on communication

Common Security Requirements

Security at Different Levels

Server access security Internet access security Database access security Data privacy security Program access Security

We need to answer following Questions

What is Data Security at Physical Layer? What is Data Security at Network Layer? How much safe is data from Natural disaster? How much trusted is Encryption scheme of Service Provider?

DATA LOCATION
When user use the cloud, user probably won't know exactly where your data is hosted, what country it will be stored in? Data should be stored and processed only in specific jurisdictions as define by user. Provider should also make a contractual commitment to obey local privacy requirements on behalf of their customers, Data-centered policies that are generated when a user provides personal or sensitive information, that travels with that information throughout its lifetime to ensure that the information is used only in accordance with the policy

Data Policies

Backups of Data
Data store in database of provider should be redundantly store in multiple physical location. Data that is generated during running of program on instances is all customer data and therefore provider should not perform backups. Control of Administrator on Databases

Host Security Issues

The host running the job, the job may well be a virus or a worm which can destroy the system

Solution: A trusted set of users is defined through the distribution of digital certification, passwords, keys etc. and then access control policies are defined to allow the trusted users to access the resources of the hosts.

Some virus and worm create-Job Starvation Issue : where one job takes up a huge amount of resource resulting in a resource starvation for the other jobs.

Solutions:
Advanced reservations of resources priority reduction

Information Security
Security related to the information exchanged between different hosts or between hosts and users.
This issues pertaining to secure communication, authentication, and issues concerning single sign on and delegation. Secure communication issues include those security concerns that arise during the communication between two entities. These include confidentiality and integrity issues. Confidentiality indicates that all data sent by users should be accessible to only legitimate receivers, and integrity indicates that all data received should only be sent/modified by legitimate senders. Solution: XML Signature, XML Encryption, and the Secure Sockets Layer (SSL) enables secure authentication and communication over computer networks.

Identity Management:
Managing user access to applications and information based on proof of identity Combination of authentication (user identification) and authorization (user access rights) Controlling access is critical

Creating an Identity Management Infrastructure:

Improve methods of identity management something better than ID and passwords
Possibilities biometrics, user/device/location/time identification

Provide secure source of identity information Disable auxiliary ports

Establish clearly defined access policies

Cloud Security Structure

THE WEB SERVICES

A service WSDL SOAP UDDI

<Transport>

Client/Consumer

WS-SECURITY
Enhancement to SOAP Uses XML Encryption xmlenc XML Digital Signatures xmlsig SSL/TLS

XML ENCRYPTION
XML Encryption is a specification, that defines how to encrypt the contents of an XML element. XML Encryption use the KeyInfo element, and provides information to a recipient about what keying material to use in validating a signature or decrypting encrypted data. The KeyInfo element is optional: it can be attached in the message, or be delivered through a secure channel.

SOLUTIONS:
Encrypt Data in Small Portions:
We can Encrypt XML data in small portions rather than a complete document i.e documents,elements and element content level.

Use Different Encryption Keys:

While Encrypting we can use different encryption keys for different subdocuments and same keys can be used for decrypting the data. Session Management: Expiring session within required time when asking sensitive security.

SOLUTIONS (CONTD.)
We can set and certify the time, when the signature was made.
Use PGP keys, certificates or RSA keys for data signing and encryption
1) Pretty Good Privacy (PGP) is a data encryption and decryption computer
program that provides cryptographic privacy for data communication. 2)PGP encryption uses a serial combination of hashing, data compression, symmetric -key cryptography, and, finally,public-key-cryptography.

Use of Intruder detection Switches and Shield Connectors between Data Communication

XML SIGNATURE:
An XML signature is a digital signature obtained by applying a digital signature operation to arbitrary data. Existing technologies allow us to sign only a whole XML document. WE CAN PROVIDE A MEANS OF SIGNING A PORTION OF DOCUMENT. This functionality helps a lot whenever changes and additions to documents are required The Signature which is to be inserted in first represented as a hash function and the resulting value is place in the element along with other function.

EXAMPLE FOR XML SIGNATURE

Consider a patient record stored in a hospital repository. This record can contain several entries (diagnoses) coming from several doctors.
Each doctor wants to take responsibility only over her diagnosis.

In this case, every additional diagnosis added to the patient record must be singularly signed.
This important feature is supported by XML signature.

XML AUTHENTICATION
Value-based access control in which the access permission is decided by XML contents: XML contents must contain some identity information with the help of which user can grant to access permission. Access control on a specific node at an arbitrary depth: XML contents can provide security information at various XML subdocuments and XML infrastructure.

Management Related Issues:

Management is important as the cloud is heterogeneous in nature and may consist of multiple entities, components, users, domains, policies, and stake holders.

Credential Management:

Credential management systems store and manage the credentials for a variety of systems and users can access them according to their needs. Secure and safe storage of credentials is equally important.

HOW SECURE IS ENCRYPTION SCHEME

is the process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. Is it possible for all of my data to be fully encrypted? What algorithms are used? Who holds, maintains and issues the keys? Problem: Encryption accidents can make data totally unusable. Encryption can complicate availability Solution The cloud provider should provide evidence that encryption schemes were designed and tested by experienced specialists.
Encryption

ENCRYPTION ALGORITHMS
Various Encrypion Algorithm Can be Used to encrypt data Such as DES,3DES,RSA,AES,IDEA,Blowfish etc RSA is one of the best encryption algorithm used for encrypting data.

RSA is widely used in electronic commerce protocols, and is believed to be sufficiently secure given sufficiently long keys and the use of up-to-date implementations.
The RSA algorithm can be used for both public key encryption and digital signatures. Its security is based on the difficulty of factoring large integers.

RSA ALGORITHM
RSA involves a public key and a private key. The public key can be known to everyone and is used for encrypting messages. Messages encrypted with the public key can only be decrypted using the private key. The keys for the RSA algorithm are generated the following way:

1. 2. 3. 4. 5.

Algorithm Choose two distinct prime numbers p and q. Compute n = pq. Compute z= (p1)(q1) Choose a number relatively Prime to z and call it d Find e such that e*d=1mod z

To encrypt a message P compute C=P^e(mod n) To decrypt a message you need d,n(private keys) P=C^d(mod n)

DISADVANTAGE
Its major disadvantage is that it requires keys of atleast 1024 bits for good security , which makes it quite slow. Moreover Security of this algorithm also depends on the factoring of RSA Modules. Encryption using this algo is cheap but decryption is costlier due to large key factoring

SOLUTIONS:
Large Key Size: One of the best way for secure encryption is to use large key size as large key size will be difficult to factor for the attackers Performance: We have to concentrate on three factors 1.Modular Calculation 2.Exponential Multiplication 3.Decryption Exponential Calculation One way is to prestore values from earlier calculations which save a lot of time in processing.

SOLUTIONS(CONT.)
For Decryption We can divide process as 1. One which schedule and perform RSA decryption.This can use round-robin strategy to aggregate the decryption request. 2. Other which send decryption request for decryption from the client. This can have two advantages 1. It improves the throughput of the RSA algorithm. 2. Scheduling improves the behaviour of system if message is bursty.

THANK YOU

QUESTIONS????