KENYATTA UNIVERSITY

SCHOOL OF ENG. & TECHNOLOGY

DEPT. OF ELECTRICAL AND ELECTRONIC ENGINEERING.

Group Members

CHRISPIN ONYANGO OBUDHO J27/1828/2009

EVANSON BIWOTT J27/1834/2009

UNIT NAME: DISTRIBUTED SYSTEMS

UNIT CODE: SCT 403

ASSIGNMENT: Research on Cloud Computing Security.

DATE: 11TH DEC 2012

Cloud computing security

SCT 403- Distributed Systems

 Abstract

The term Cloud computing becomes more popular day by day. As this is happening,

security concerns start to arise. Maybe the most critical one is that as information is spread into

the cloud, the owner starts to lose the control of it. In the paper we attempt to give, a brief

overview of what is described by the term Cloud computing and introduce what we mean by

Cloud computing security [Brunette, 2009]. Make a discussion of what are the security benefits

that Cloud computing introduces and the security risks that arise due to its adaptation according

to [ENISA, 2009].

Introduction

Cloud computing funds started to build in early 90's. The main idea behind cloud
computing is to separate the infrastructure and the mechanisms that a system is composed of,
from the applications and services that delivers [Brunette, 2009]. Clouds are designed in such a
way that can scale easily, be always available and reduce the operational costs. That is achieved
due to on demand multi-tenancy of applications, information and hardware resources (such as
network infrastructure, storage resources and so on). According to [Mell, 2009] Cloud
computing is composed by five Essential Characteristics, three Service Models and four
Deployment Models as shown in figure bellow.

Security

The way that security control is implemented on Cloud computing is most of the times
similar to this of traditional IT environments. However, due to the distributed nature of the
assets, security risks vary depending on the kind of assets in use, how and who manages those
assets, what are the control mechanisms used and where those are located and finally who
consumes those assets [Brunette, 2009]. Furthermore, earlier we mentioned that multi-tenancy.
This means that a set of policies should be implementing how isolation of resources, billing, and
segmentation and so on is achieved is a secure and concise way.

SCT 403- Distributed Systems

 In order to measure whether the security that a Cloud Provider (CP) offers is adequate we
should take under consideration the maturity, effectiveness, and completeness of the risk-
adjusted security controls that the CP implements. Security can be implementing at one or more
levels. Those levels that cover just the Cloud infrastructure are physical security, network
security, system security and application security. Additionally security can take place at a
higher level, on people, duties and processes.

It is necessary at this point to have understanding of the different security responsibilities

that CPs and end users have. In addition, that sometimes even among different CPs the security
responsibilities differ.

Security Benefits

Security and the benefits of scale: when implementing security on a large system the cost
for its implementation is shared on all resources and as a result the investment end up being more
effective and cost saving. Security as a market differentiator: as confidentiality, integrity and
resilience is a priority for many the end users, the decision on whether they will choose one CP
over another is made based on the reputation this CP has on security issues. Hence, competition
among CPs made them provide high level services.

Standardize interfaces for managed security services: as CPs use standardize interfaces to
manage their security services the Cloud computing market benefits from the uniformity and
tested solutions this introduces.

Rapid, smart scaling of resources: Cloud computing is considered resilient since it has the ability
to dynamically reallocate resources for filtering, traffic shaping, authentication, encryption.

Audit and evidence gathering: since virtualization is used in order to achieve Cloud computing, it
is easy to collect all the audits that we need in order to proceed with forensics analysis without
causing a downtime during the gathering process.

SCT 403- Distributed Systems

More timely, effective and effective updates and defaults: another thing that Cloud computing
benefits from virtualization is that virtual machines (VM) can come pre-patched and hardened
with the latest updates. Also in case of a configuration fault or a disaster caused by changes made
on the VM, we can roll back to a previous stable state.

Benefits of resource concentration: having all of your resources concentrated makes it cheaper to
maintain and allows physical access on those easier. That outweighs most of the times the risk
the disadvantages that this generates.

Security Risks

The following classes of cloud computing risks were identified:

Loss of governance: as users do not physically possess any resources, CPs can take control on a
number of resources. If those resources are not covered from an SLA, security risks arise.

Lock-in: as we write this paper there is still no standardization on how to move data and
resources among different CPs. That means in case a user decides to move from a CP to another
or even to migrate those services in-house, might not be able to do so due to incompatibilities
between those parties. This creates a dependency of the user to a particular CP.

Isolation failure: one of the disadvantages of multi-tenancy and shared resources occurs when
the resource isolation mechanism fails to separate the resource among users. That can occur
either due to an attack (guest-hopping attacks) or due to poor mechanism design. In present days,
attacks of this kind are rare compared to the traditional Oss but for sure we cannot rely just on
that fact. Risk category covers the failure of mechanisms separating storage, memory, routing
and even reputation between different tenants.

Compliance risks: there is a possibility that investing on achieving certification is put under risk
due to the following:

 The CP cannot provide evidence of their own compliance with the relevant requirements

SCT 403- Distributed Systems

  The CP does not permit audit by the cloud customer (CC).

In addition, it is possible that compliance with industry standards cannot be achieved when using
public Cloud computing infrastructure.

Management interface compromise: CPs provide to the users, management interface for their
resources on public Cloud infrastructures. That makes those interfaces available over the internet
allowing remote access applications or web browsers vulnerabilities to allow access on resources
from unauthorized users.

Data protection: CP is possible to handle data in ways that are not known (not lawful ways) to
the user since the users loses the complete governance of the data. This problem becomes even
more obvious when data are transferred often between locations. On the other hand, there is lots
of CPs that provide information on how data are handled by them, while other CPs offer in
addition certification summaries on their data processing and data security activities.

Insecure or incomplete data deletion: Various systems will not completely wipe it out. Such is
the case with Cloud computing as well. Furthermore, difficulties to delete a resource on time
might arise due to multi-tenancy or dues to the fact that many copies of this resource can exist
for backup/ redundancy reasons. In cases like this the risk adds to the data protection of the user
is obvious.

Malicious insider: there is always that possibility that an insider intentionally causes damage. For
that reason, a policy specifying roles for each user should be available.

The risks described above constitute the top security risks of cloud computing. [ENISA, 2009]
further categorizes risks into policy and organizational risks, technical risks, legal risks and
finally not specific risks.

Vulnerabilities

Vulnerabilities: Special care should be given on the authentication, authorization and accounting
system that CPs will use. Poor designed of systems can result to unauthorized users to have

SCT 403- Distributed Systems

access on resources, with unwanted results on both the CP (legal wise) and the user (loss of
information).

User provisional vulnerabilities:

 Customer cannot control provisioning process.

 Identity of customer is not adequately verified at registration.

 Delays in synchronization between cloud system components (time wise and of profile
content) happen.

 Multiple, unsynchronized copies of identity data are made.

 Credentials are vulnerable to interception and replay.

User de-provisioning vulnerabilities: Due to time delays that might occur, credential of user that
have earlier logged out might appear to be valid.

Remote access to management interface: Theoretically, this allows vulnerabilities in end-point

machines to compromise the cloud infrastructure (single customer or CP) through, for example,
weak authentication of responses and requests.

Hypervisor Vulnerabilities: In virtualized environments, Hypervisors is a small piece of

middleware that is used in order to be able to control the physical resources assigned to each
VM. Exploitation of the Hypervisors layer will result on exploiting every single VM on a
physical system.

Lack of resource isolation: Resource use by one customer can affect resource use by another
customer. For example IAAS infrastructures use systems on which physical resources are shared
among VMs and hence many different users.

Lack of reputational isolation: The resource sharing can result on one user acting in such a way
that its actions have impact on the reputation of another user.

SCT 403- Distributed Systems

Communication encryption vulnerabilities: while data move across the internet or among
different location within the CP premises it is possible that someone will be reading the data
when poor authentication, acceptance of self-signed certificates present and so on.

Lack of or weak encryption of archives and data in transit: In conjunction with the above when
failing to encrypt data in transit, data held in archives and databases, un-mounted virtual machine
images, forensic images and data, sensitive logs and other data at rest those are at risk.

Poor key management procedures: Cloud computing infrastructures require the management and
storage of many different kinds of keys; examples include session keys to protect data in transit,
file encryption keys, key pairs identifying cloud providers, key pairs identifying customers,
authorization tokens and revocation certificates. Because virtual machines do not have a fixed
hardware infrastructure and cloud based content tends to be geographically distributed, it is more
difficult to apply standard controls, such as hardware security module (HSM) storage, to keys on
cloud infrastructures.

Key generation: low entropy for random number generation: The combination of standard
system images, virtualization technologies and a lack of input devices mean that systems have
much less entropy than physical RNGs

Lack of standard technologies and solutions: This is the case of lock-in risk, where users cannot
move across different providers due to the lack of standards.

No control on vulnerability assessment process: If CPs will not prevent their users from port
scanning and testing for possible vulnerabilities and there is no audit on the time of use (ToU)
for a user (something that places responsibility on the customer) severe infrastructure security
problems will arise.

Possibility internal (Cloud) network probing will occur: Cloud customers can perform port scans
and other tests on other customers within the internal network.

Possibility that co-residence checks will be performed: Side-channel attacks exploiting a lack of
resource isolation allow attackers to determine which customers share which resources.

SCT 403- Distributed Systems

Lack of forensics readiness: While the cloud has, the potential to improve forensic readiness,
many providers do not provide appropriate services and terms of use to enable this. For example,
SaaS providers will typically not provide access to the IP logs of clients accessing content. IaaS
providers may not provide forensic services such as recent VM and disk images.

Sensitive media sanitization: Shared tenancy of physical storage resources means that sensitive
data may leak because data destruction policies applicable at the end of a lifecycle may either be
impossible to implement because, for example, media cannot be physically destroyed because a
disk is still being used by another tenant or it cannot be located, or no procedure is in place.

Synchronizing responsibilities or contractual obligations external to cloud: Cloud customers are

often unaware of the responsibilities assigned to them within the terms of service. There is a
tendency towards a misplaced attribution of responsibility for activities such as archive
encryption to the cloud provider even when it is clearly stated in the terms of the contract
between the two parties that no such responsibility has been undertaken.

Cross-cloud applications creating hidden dependency: Hidden dependencies exist in the services
supply chain (intra- and extra-cloud dependencies) and the cloud provider architecture does not
support continued operation from the cloud when the third parties involved, subcontractors or the
customer company, have been separated from the service provider and vice versa.

SLA clauses with conflicting promises to different stakeholders: An SLA might include terms
that conflict one another, or conflict clauses made from other providers.

SLA causes containing excessive business risk: From CPs perspective an SLA can hide a bunch
of business risks when someone thinks of the possible technical failures that might arise. At the
end user point SLAs can include terms that can be disadvantageous.

Audit or certification not available to customers: The CP cannot provide any assurance to the
customer via audit certification.

Certification schemes not adapted to cloud infrastructures: CPs will not really take any actions
to provide security measures that comply with Cloud computing security standards.

SCT 403- Distributed Systems

Inadequate resource provisioning and investments in infrastructure: This vulnerability comes in
hand with the one that follows. Provisioning of resources should be done carefully in order to
avoid failures of the provided services.

No policies for resource capping: CPs should make really well provisioning of their resources. In
addition, end users should be able to configure the resources that are allocated to them. If the
limits of requested resources exceed this of the available resources results can be unpredictable.

Storage of data in multiple jurisdictions and lack of transparency: Multiple copies of user's data
can exist since mirroring of the data is performed in order to achieve redundancy. During that
time the user should we aware of where are those data stored. Such a move can introduce
unwanted vulnerabilities since CPs may violate regulations during this time.

Lack of information jurisdictions: there might be a case where data are stored using high level of
user rights. In that case, end users should be aware of it in order to take preventing measures.

Conclusion

In this paper we tried to give a brief overview of cloud computing and discuss what
security on Cloud computing means. Furthermore, we made it easy for the reader to understand
what the benefits and risks of moving toward Cloud computing are. Vulnerabilities of Cloud
computing are listed as those were described in [ENISA, 2009], allowing us to have a full view
of what are the considerations that we should keep in mind when moving on Cloud computing.

It is also well understood that exhaustive risk and security control is not recommended on all
Cloud computing implementations. The level of control should always depend on prior
evaluation. There are still lot of open research areas on improving Cloud computing security,
some of those are; Forensics and evidence gathering mechanisms, resource isolation mechanisms
and interoperability between cloud providers.

SCT 403- Distributed Systems

 References

[ENISA, 2009] ENISA editors. (2009). Cloud Computing Benefits, risks and recommendations
for information security. <http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-
computing-risk-assessment/at_download/fullReport>. [Accessed 05 Dec 2012]

Jamsa, K. A. (2013). Cloud computing: SaaS, PaaS, IaaS, virtualization, business models, mobile,
security and more. Burlington, MA: Jones & Bartlett Learning.

[Brunette, 2009] Glenn Brunette and Rich Mogull (2009). Security Guidance for Critical Areas
of Focus in Cloud Computing, Version 2.1 <http://cloudsecurityalliance.org/csaguide.pdf>
[Accessed 05 Dec 2012]

Buyya, R., Broberg, J., & Gościński, A. (2011). Cloud computing: Principles and paradigms. Hoboken,
N.J: Wiley.

Antonopoulos, N., & Gillam, L. (2010). Cloud computing: Principles, systems and applications. London:
Springer.

[Mell, 2009] Peter Mell and Tim Grance (2009). The NIST Definition of Cloud Computing,
Version 15. <http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def-v15.doc> [A Accessed
05 Dec 2012]

SCT 403- Distributed Systems