Abstract

Cloud computing is a growing area of concern in the IT security community because cloud architectures are literally popping up all over. Public clouds are available from Google.com, Amazon.com, Microsoft, Oracle/Sun, Canonical/Eucalyptus and many other vendors. Private cloud technologies, where the cloud software is loaded on local or in-house server hardware, are available from VMware, Eucalyptus, Citrix, Microsoft, and there are thousands of vendors offering “cloud solutions” of all sorts. A search for “private cloud hosting” on Google.com produced 581,000 page results. With all of the hyperbole has come a large swell of early-adopters and developers. This paper is concerned with discovery of the vulnerabilities in the landscape of clouds, discovery of security solutions, and finding evidence that early-adopters or developers have grown more concerned with security.

Keywords: cloud computing, cloud security

Security Issues and Solutions in Cloud Computing

This paper concerns security issues and solutions in cloud computing. Cloud computing is a catch-all phrase that covers virtualized operating systems running on virtual hardware on untold numbers of physical servers. The “cloud” term has consumed High-Performance Computing (HPC), Grid computing and Utility Computing. The Cloud Security Alliance has adopted the definition developed by NIST; a computing in the cloud is a model exhibiting the following characteristics, on-demand self-service, Broad Network Access, Resource pooling, and Rapid elasticity and Measured service (Cloud Security Alliance Guidance Version 2.1, 2009, p. 15). This is an area that appears to be growing larger and more pervasive as the benefits of cloud architectures become better understood. More organizations start their own cloud projects and more application developers sign on for cloud development as the hyperbole is shaken out and the real parameters of the key technologies are discovered and perfected. The basic areas of cloud vulnerability are similar to the standard issues that surround networking and networked applications. The issues specific to cloud architectures include network control being in in the hands of third parties and and a potential for sensitive data to be available to a much larger selection of third-parties, both on the staff of the cloud providers, and among the other clients of the cloud.

The quick adoption of the cloud model is plain in the success of the Amazon Elastic Cloud Computing (EC²) product, the buy-in from IBM with their backing of the highly concurrent, massively parallel language X-10 (Saraswat, Vijay, 2010) and Microsoft’s investment in its Azure cloud (Qiu et al., 2009). Janine Milne reported that eight of ten businesses surveyed in the UK were opting for private cloud initiatives rather than public cloud projects and they stated the issues of concern to be data security in transit, in storage or during processes (Milne, 2010). It is plain that the field is full and the harvest for the IT security profession and IT in general are excellent.

The literature available on cloud security is plentiful, and there is enough higher-quality work to develop a conceptual framework for security issues and solutions

Background

Cloud computing is a marketing term that refers to web-based application, storage, and communications services. Though this move to computing “in the cloud” seems to be inevitable, at least part of the reason why it is inevitable is expedience for the supplier companies, and vendor lock-in, or as Richard Stallman says in the Guardian, “…If you use a proprietary program or somebody else’s web server, you’re defenceless (sic). You’re putty in the hands of whoever developed that software. (“Cloud computing is a trap, warns GNU founder | Technology | guardian.co.uk,” 2008)“ Perhaps because the definition of “Cloud Computing” is so broad and vague, there is a tendency to define it by what it is not. There is also a tendency to define as “cloud computing” whatever is in great supply, such as a large data center’s surplus processing capacity. Christodorescu, Sailer, Schales, Sgandurra & Zamboni (2009) point out that clouds are not synonymous with virtualization though most clouds must use some sort of virtualization at hardware, OS or application level (Christodorescu, Sailer, Schales, Sgandurra, & Zamboni, 2009, p. 99).

Vulnerabilities

Cloud computing shares in common with other network-based application, storage and communication platforms certain vulnerabilities in several broad areas:

• Web application vulnerabilities, such as cross-site scripting and sql injection (which are symptomatic of poor field input validation, buffer overflow; as well as default configurations or mis-configured applications.
• Accessibility vulnerabilities, which are vulnerabilities inherent to the TCP/IP stack and the operating systems, such as denial of service and distributed denial of services (Krügel, Toth, & Kirda, 2002)
• Authentication of the respondent device or devices. IP spoofing, RIP attacks, ARP poisoning (spoofing), and DNS poisoning are all too common on the Internet. TCP/IP has some “unfixable flaws” such as “trusted machine” status of machines that have been in contact with each other, and tacit assumption that routing tables on routers will not be maliciously altered.
• Data Verification, tampering, loss and theft, while on a local machine, while in transit, while at rest at the unknown third-party device, or devices, and during remote back-ups.
• Physical access issues, both the issue of an organization’s staff not having physical access to the machines storing and processing a data, and the issue of unknown third parties having physical access to the machines
• Privacy and control issues stemming from third parties having physical control of a data is an issue for all outsourced networked applications and storage, but cloud architectures have some specific issues that are distinct from the usual issues. Christodorescu, et al. show a significant gap between what is assumed and what is reality, i.e., all virtual machines are brought into existence clean, when in reality a compromised hypervisor can spawn compromised VMs, or all VM operating systems are known and available for audit, when in reality the Windows source-code, among others, is not available for audit (Christodorescu et al., 2009, p. 100).

Security Solutions

There are several groups interested in developing standards and security for clouds and cloud security. The Cloud Security Alliance (CSA) is gathering solution providers, non-profits and individuals to enter into discussion about the current and future best practices for information assurance in the cloud (“Cloud Security Alliance (CSA) – security best practices for cloud computing,” 2009) The Cloud Standards web site is collecting and coordinating information about cloud-related standards under development by other groups (“CloudsStandards,” 2010). The Open Web Application Security Project (OWASP) maintains a “top 10” list of vulnerabilities to cloud-based or Software as a Service deployment models which is updated as the threat landscape changes (“OWASP,” 2010). The Open Grid Forum publishes documents to containing security and infrastructural specifications and information for grid computing developers and researchers (“Open Grid Forum,” 2010).

Web Application Solutions

The best security solution for web applications is to develop a development framework that shows and teaches a respect for security. Tsai, W., Jin, Z., & Bai, X. (2009) put forth a four-tier framework for web-based development that though interesting, only implies a security facet in the process (Tsai, Jin, & Bai, 2009, p. 1). “Towards best practices in designing for the cloud” by Berre, Roman, Landre, Heuvel, Skår, Udnæs, Lennon, & Zeid (2009) is a road map toward cloud-centric development (Berre et al., 2009), and the X10 language is one way to achieve better use of the cloud capabilities of massive parallel processing and concurrency .(Saraswat, Vijay, 2010)

Accessibility Solutions

Krügel, C., Toth, T., & Kirda, E. (2002) point out the value of filtering a packet-sniffer output to specific services as an effective way to address security issues shown by anomalous packets directed to specific ports or services (Krügel et al., 2002)

(Krügel et al., 2002) An often-ignored solution to accessibility vulnerabilities is to shut down unused services, keep patches updated, and reduce permissions and access rights of applications and users.

Authentication Solutions

Halton and Basta (2007) suggest one way to avoid IP spoofing by using encrypted protocols wherever possible. They also suggest avoiding ARP poisoning by requiring root access to change ARP tables; using static, rather than dynamic ARP tables; or at least make sure changes to the ARP tables are logged. (Basta & Halton, 2007, p. 166).

Data Verification, Tampering, Loss and Theft Solutions

Raj, Nathuji, Singh and England (2009) suggest resource isolation to ensure security of data during processing, by isolating the processor caches in virtual machines, and isolating those virtual caches from the Hypervisor cache (Raj, Nathuji, Singh, & England, 2009, p. 80). Hayes points out that there is no way to know if the cloud providers properly deleted a client’s purged data, or whether they saved it for some unknown reason (Hayes, 2008, p.(Hayes, 2008, p. 11). Would cloud-providers and clients have custody battles over client data?

Privacy and Control Solutions

Hayes (2008) points out an interesting wrinkle here, “Allowing a third-party service to take custody of personal documents raises awkward questions about control and ownership: If you move to a competing service provider, can you take a data with you? Could you lose access to a documents if you fail to pay a bill?” (Hayes, 2008, p. 11). The issues of privacy and control cannot be solved, but merely assured with tight service-level agreements (SLAs) or by keeping the cloud itself private.

Physical access solutions

One simple solution, which Milne (2010) states to be a widely used solution for UK businesses is to simply use in-house “private clouds” (Milne, 2010). Nurmi, Wolski, Grzegorczyk, Obertelli, Soman, Youseff, & Zagorodnov show a preview of one of the available home-grown clouds in their (2009) presentation. “The Eucalyptus Open-Source Cloud-Computing System” (Nurmi et al., 2009).

Conclusion

The largest gaps between cloud-security practice and cloud-security research lies in the fact that the assumptions in the research leave out some very important differences between cloud security and virtual machine security, as pointed out by Christodorescu et al. (2009). My research questions will center around these differences, and I intend to develop a mixed-method research framework to discover how the vulnerabilities are exploited, and what must be done to close the vulnerabilities. One of the pieces of the framework might be developing a way to monitor the cloud’s management software, and another might be development of isolated processing for specific clients’ applications. Having a way to tell whether the virtual machines in the cloud are patched properly would also be a useful part of the framework. People’s behavior can be tracked and monitored; for instance whether people allow the automated patching software to run, or updating anti-virus software definitions (on virtual machines running operating systems that are susceptible to viruses, worms and other such malware), or whether people understand how to harden their virtual machines in the cloud.

Annotated Bibliography

Basta, A., & Halton, W. (2007). Computer Security and Penetration Testing (1st ed.). Delmar Cengage Learning.

This source is an exhaustive overview of the common computer security issues and penetration tools used to exploit these vulnerabilities. The methodology of the several experiments with the tools of the penetration-testing trade is quantitative primary research by Halton. This textbook was peer-reviewed, and the authors are both educators in the field of IT and IT security. Basta received his PhD in Mathematics from Alexandria University in Egypt and Halton helped develop the Masters in IT Security & Assurance at Capella University. Writing this book was very useful in my professional career. It is one of fifteen or sixteen very good resource for concisely-written security basics. It would be immodest to give it a rating for quality.

Berre, A. J., Roman, D., Landre, E., Heuvel, W. V. D., Skår, L. A., Udnæs, M., Lennon, R., et al. (2009). Towards best practices in designing for the cloud. In Proceeding of the 24th ACM SIGPLAN conference companion on Object oriented programming systems languages and applications (pp. 697-698). Orlando, Florida, USA: ACM. Retrieved from http://portal.acm.org.library.capella.edu/citation.cfm?id=1639950.1639970 &coll=portal&dl=ACM&CFID=80867670&CFTOKEN=24312614

Towards best practices in designing for the cloud by Berre, A. J., Roman, D., Landre, E., Heuvel, W. V. D., SkÃ¥r, L. A., Udnæs, M., Lennon, R., & Zeid, A. (2009). The authors’ biographies are present and it is readily apparent that they have the skills and experience to write about this topic (Berre et al., 2009, p. 2). This document is more like a brochure than a report of research findings, but it gives a good framework upon which to develop best practices for cloud development. I give it a 2 out of 10. It is credible but not very useful (Berre et al., 2009). It has not been cited in any other work (“ACM Portal,” 2010).

Christodorescu, M., Sailer, R., Schales, D. L., Sgandurra, D., & Zamboni, D. (2009). Cloud security is not (just) virtualization security: a short paper. In Proceedings of the 2009 ACM workshop on Cloud computing security (pp. 97-102). Chicago, Illinois, USA: ACM. Retrieved from http://portal.acm.org.library.capella.edu/citation.cfm?

Cloud security is not (just) virtualization security: a short paper by Christodorescu, M., Sailer, R., Schales, D. L., Sgandurra, D., & Zamboni, D. (2009)..There are five listed authors on this piece, and they are all researchers at IBM, a company well known for its interest in cloud computing. There are no footnotes but the mechanics of the article and the flow are excellent. There are sixteen references on this rather short, six page paper. This article comes from the proceedings of an ACM workshop, which is second-best, so far as refereed publication goes. A feature article in one of the ACM journals would be stronger. It has not been cited by any other work, per the ACM catalog (“ACM Portal,” 2010)

(“ACM Portal,” 2010) There is no evidence that this article has been reviewed by peers, and I give it an 8 out of 10 for quality. (Christodorescu et al., 2009).

Cloud computing is a trap, warns GNU founder | Technology | guardian.co.uk. (n.d.). . Retrieved March 31, 2010, from http://www.guardian.co.uk/technology/2008/sep/29/cloud.computing.richard.stallman

This short article, printed in the UK-based Guardian paper and also online on their web site, points out the self-fulfilling prophesy aspect of cloud computing, with quotes from the always remarkable Richard Stallman and also Larry Ellison of Oracle, among others. Larry Ellison says “”The interesting thing about cloud computing is that we’ve redefined cloud computing to include everything that we already do, … (“Cloud computing is a trap, warns GNU founder | Technology | guardian.co.uk,” 2008) He is pointing out the marketing spin that large companies, such as Amazon.com developed the SAAS model to get paid for their excess network capability. This is an opinion piece and though thought-provoking, gets only 3 out of 10 for quality.

Cloud Security Alliance (CSA) – security best practices for cloud computing. (2009). . Retrieved April 16, 2010, from http://www.cloudsecurityalliance.org/

The Cloud Security Alliance is an industry group created to promote best practices in security within cloud computing platforms and to educate practitioners to use cloud technologies to make other computer architectural models more secure (“Cloud Security Alliance (CSA) – security best practices for cloud computing,” 2009)

(“Cloud Security Alliance (CSA) – security best practices for cloud computing,” 2009) This goal is in alignment with my own aims in research and practice, and the site is a useful source for news related to cloud security.

Cloud Security Alliance Guidance Version 2.1. (2009). . Cloud Security Alliance. Retrieved from www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf

This resource is a “best practices” document provided by the Cloud Security Alliance (“Cloud Security Alliance (CSA) – security best practices for cloud computing,” 2009)(“CloudStandards,” 2010)

for guiding practitioners toward a more secure infrastructure. This is a useful starting point for developing a framework for further research.

CloudStandards. (2010 3). . Retrieved April 16, 2010, from http://cloud-standards.org/wiki/

Cloud Standards is an aggregation site chronicling the progress of several organizations that develop the technological standards for the architecture, control and security of clouds. This is a useful site for monitoring the progress of standardization, and for developing my own research questions (“CloudStandards,” 2010)(Hayes, 2008).

Hayes, B. (2008). Cloud computing. Commun. ACM, 51(7), 9-11. Retrieved from http://portal.acm.org.library.capella.edu/ft_gateway.cfm?id=1364786&type=html&coll=portal&dl=ACM&CFID=80867670&CFTOKEN=24312614

Cloud computing by Hayes, B. (2008). This is an overview article in the ACM’s “Communications of the ACM.” There is only a single author and though plainly a credible journalist, the author makes no claim to special expertise in this area. It is easy to read but contains only second-hand information. It has been cited thirteen times by other researchers and has been a starting place for over 15,000 readers, based upon the ACM’s record. It is a weak source from a solid journal , and I give it a 4 out of 10 (Krügel et al., 2002).

Krügel, C., Toth, T., & Kirda, E. (2002). Service specific anomaly detection for network intrusion detection. In Proceedings of the 2002 ACM symposium on Applied computing (pp. 201-208). Madrid, Spain: ACM. Retrieved from http://portal.acm.org.library.capella.edu/citation.cfm?id=508835&dl=GUIDE&coll=GUIDE&CFID=80867670&CFTOKEN=24312614

This resorce is an example of quantitative research relating to Service Specific Anomaly Detection. Krügel, Toth and Kirda present the results from a sample of over 75,000 DNS packets to show the value of anomaly detection in the DNS service for developing security solutions for networks (Krügel et al., 2002)(Tsai et al., 2009, p. 2). I give it 7 out of 10 rating for quality.

Milne, J. (2010, February 9). Private cloud projects dwarf public initiatives. Retrieved from http://www.cbronline.com/news/private_cloud_projects_dwarf_public_initiatives_281009

Milne shows the result of a 2009 survey of UK businesses, and shows the physical access issue is taken very seriously in the UK. The surveu reported appears to be a quantitative study of businesses, and is of medium quality, as it published on the business website, and the writer’s qualifications are not mentioned. I give it a 2 out of 10 for quality.

Nurmi, D., Wolski, R., Grzegorczyk, C., Obertelli, G., Soman, S., Youseff, L., & Zagorodnov, D. (2009). The Eucalyptus Open-Source Cloud-Computing System. In Proceedings of the 2009 9th IEEE/ACM International Symposium on Cluster Computing and the Grid (pp. 124-131). IEEE Computer Society. Retrieved from http://portal.acm.org.library.capella.edu/citation.cfm?id=1577849.1577895&coll=GUIDE&dl=GUIDE&CFID=80024999&CFTOKEN=42205166

The Eucalyptus Open-Source Cloud-Computing System by Nurmi, D., Wolski, R., Grzegorczyk, C., Obertelli, G., Soman, S., Youseff, L., & Zagorodnov, D. (2009). is from yet another conference proceeding. It eminates from the University of California, Santa Barbara, and this feature, as well as the open-source nature of the topic, lead one to imagine their bias is not commercial. The article is only eight pages long but carries forty-one references. It has been cited in four other works (“ACM Portal,” 2010). It is a useful article in the “private cloud” space. I give it 7 out of 10 for quality (Nurmi et al., 2009).

OWASP. (2010 2). . Retrieved April 16, 2010, from http://www.owasp.org/index.php/

The Open Web Application Security Project (OWASP) is a not-for-profit organization that develops security software for application testing(“OWASP,” 2010). OWASP is concerned with Internet and cloud technologies because these areas of study contain myriad application-level vulnerabilities, which are poorly understood by the people who deploy web applications. This is a useful site for application-security researchers.

Open Grid Forum. (2010). . Retrieved April 16, 2010, from http://www.ogf.org/

“The Open Grid Forum (OGF) is a community of users, developers, and vendors leading the global standardization effort for grid computing” (“Open Grid Forum,” 2010). This is a central point for discussion of grid computing standards. It is a useful site for developing research questions in the grid and cloud space.

Raj, H., Nathuji, R., Singh, A., & England, P. (2009). Resource management for isolation enhanced cloud services. In Proceedings of the 2009 ACM workshop on Cloud computing security (pp. 77-84). Chicago, Illinois, USA: ACM. Retrieved from http://portal.acm.org.library.capella.edu/citation.cfm?id=1655008.1655019&coll=portal&dl=ACM&CFID=80867670&CFTOKEN=24312614

Resource management for isolation enhanced cloud services by Raj, H., Nathuji, R., Singh, A., & England, P. (2009). This source was first presented at the same 2009 ACM conference as the Christodorescu et al. article above. All four authors are Microsoft employees, so it would not be terribly surprising if their research is done in Microsoft’s Azure cloud and uses the Hypervisor VM management tool. The writing is effective and the results, though not injurious to Microsoft, may be useful in evaluating other companies tools. They have sixteen cited works and are cited in no other research per the ACM Portal. This is primary research and so I give it 7 out of 10 for quality and validity (Raj et al., 2009).

Saraswat, Vijay. (2010). Report on the Programming Language X10. x10-lang.org. Retrieved from http://dist.codehaus.org/x10/documentation/languagespec/x10-latest.pdf

This document is the current specification for the X10 programming language. The author is one of the project members and programmers on the team, and an IBM employee. It is an authoritative piece, retrieved from the project’s home page. I would give it 9 out of 10 for quality. The only thing that would make it a perfect ten would be if it was published through a refereed scholarly journal.

Tsai, W., Jin, Z., & Bai, X. (2009). Internetware computing: issues and perspective. In Proceedings of the First Asia-Pacific Symposium on Internetware (pp. 1-10). Beijing, China: ACM. Retrieved from http://portal.acm.org.library.capella.edu/ citation.cfm?id=1640206.1640207&coll=GUIDE&dl=GUIDE&CFID= 80867670&CFTOKEN=24312614

This resource is high-quality overview of an initiative called Internetware, which focuses on a development model suggested by Yang in 2008 with a four-step structure based upon building a software project through the following four models:

• Basic component model,
• Context-driven model,
• Collaborative model,
• Intelligent trustworthy model (Tsai, Jin, & Bai, 2009, p1)

There are five focal points for Internetware: Lifecycle model for Internetware, Ontology, Modeling and simulation, Social ranking for software evaluation, and Adaptation and control (Tsai et al., 2009, p. 2). I give it 7 out of 10 for quality and validity.