Cloud Security From An Ias Pas Information Technology Essay

Cloud computing is a way to increase the capacity or add capabilities dynamically without investing in new infrastructure, training new personnel, or licensing new software. In the last few years, cloud computing has grown from being a promising business concept to one of the fast growing segments of the Information Technology (IT) industry. But as more information on individuals and companies is placed in the cloud, concerns are beginning to grow about how safe an environment it is. Customers are still reluctant to deploy their business in the cloud. Security is one of the major issues which reduces the growth of cloud computing and complications with data privacy and data protection continue to afflict the market. This paper is concentrated towards the security issues that relate to the three service delivery models, ”Software as a Service” (SaS), ”Platform as a Service” (PaS) and ”Infrastructure as a Service” (IaS). The risks of data breaches due to the nature of the service delivery models of a cloud computing system will be described and real world examples of cloud security implementation will be given.

Introduction

Cloud computing systems provide various Internet-based data storage and services. Their benefits include cost effectiveness, high scalability and flexibility, which have enabled them to gain significant momentum as a new paradigm for distributed computing for various applications. With the rapid growth of the Internet, of service-oriented architecture (SOA) and of virtualization technologies, cloud computing has lead to the vision of “Internet as a supercomputer.”

Nevertheless, cloud computing has a major limitation in order to be broadly adopted due to the fact that current cloud computing systems do not protect the confidentiality of users’ data from service providers. (Horrigan J. 2008)

It is obvious thus that, though cloud computing aims to provide better utilization of resources using virtualization techniques and to take up much of the work load from the client, security risks exist (Seccombe et al., 2009).

This paper is concentrated towards the security issues that relate to the three service delivery models, SaS, IaS, and PaS. SaS is a software deployment model whereby a provider licenses an application to customers for use as a service on demand. IaS is the delivery of computer infrastructure (commonly a platform virtualization environment) as a service. Rather than purchasing servers, software, data center space or network equipment, clients instead buy those resources as a fully outsourced service. PaS is the delivery of a computing platform and solution stack as a service. It facilitates the deployment of applications without the cost and complexity of buying and managing the underlying hardware and software layers. PaS provides the facilities required to support the complete lifecycle of building and delivering web applications and services.

The paper is organized as follows: Section 2 describes the common security issues that exist in cloud service delivery models. Section 3 describes the security threats posed by the SaS delivery model. Section 4 describes the security threats posed by the PaS delivery model. Section 5 describes the security threats posed by the IaS delivery model. Section 6 lists some real world examples on ways to implement cloud security at different levels. Finally, section 7 provides some basic conclusions.

Security issues in service models

Cloud computing utilizes three delivery models by which different types of services are delivered to the end user. As mentioned above, the three delivery models are the SaS, PaS and IaS which provide infrastructure resources, application platform and software as services to the consumer.

Specifically:

Software as a Service (SaS). SaS is a software deployment model whose main purpose is to reduce the total cost of hardware and software development, maintenance, and operations. Security provisions are carried out mainly by the cloud provider. The cloud subscriber does not manage or control the underlying cloud infrastructure or individual applications, except for preference selections and limited administrative application settings. One example of SaS is the Salesforce.com CRM application.

Platform as a Service (PaS). PaS is a model of software deployment whereby the computing platform is provided as an on-demand service upon which applications can be developed and deployed. It reduces the cost and complexity of buying, housing, and managing the underlying hardware and software components of the platform, including any needed program and database development tools. The cloud provider determines the development environment and adjusts it to the design and architecture of the platform. The cloud subscriber has control over applications and application environment settings of the platform. Security provisions are split between the cloud provider and the cloud subscriber. An example of this model is GoogleApps.

Infrastructure as a Service (IaS). IaS is a model of software deployment whereby the basic computing infrastructure of servers, software, and network equipment is provided as an on-demand service upon which a platform to develop and execute applications is established. Its main purpose is to avoid purchasing, housing, and managing the basic hardware and software infrastructure components, and to obtain those resources as virtualized objects controllable via a service interface. The cloud subscriber generally has enough freedom to choose the operating system and development environment to be hosted. Security provisions beyond the basic infrastructure are carried out mainly by the cloud subscriber. One example of this is the Amazon web services. (Jansen et al., 2011)

Read also  Reviewing The Issues Of Software Systems Information Technology Essay

Fig. 1 Differences in Scope and Control among Cloud Service Models

The three service models place a different level of security requirement in the cloud environment. IaS is the foundation of all cloud services, with PaS built upon it and SaS in turn built upon it. Just as capabilities are inherited, so are the information security issues and risks. There are significant trade-offs to each model in terms of integrated features, complexity, extensibility and security. If the cloud service provider takes care of only the lower part of the security architecture, the consumers become more responsible for implementing and managing the security capabilities.

Generally, enterprises across sectors are eager to adopt cloud computing but security is needed both to accelerate cloud adoption on a wide scale and to respond to regulatory drivers. Moreover, cloud computing is shaping the future of IT, but the absence of a compliance environment has a great impact on the growth of it. Organizations that use cloud computing as a service infrastructure critically like to examine the security and confidentiality issues for the business critical insensitive applications. Yet, guaranteeing the security of data in the “cloud” is difficult, as different services like SaS, PaS, and IaS are provided. Each service has its own security issues (Kandukuri et al., 2009).

In SaS model applications are remotely hosted by the application or service provider and made available to customers on demand, over the Internet. SaS offers significant benefits to the customers, such as improved operational efficiency and reduced costs. This is why it is rapidly emerging as the dominant delivery model for meeting the needs of enterprise IT services. However, lack of visibility about the way that the data is stored and secured makes many enterprises still uncomfortable with using it. According to the Forrester study, “The State of Enterprise Software: 2009”, security concerns are the most commonly cited reason why enterprises are not interested in SaS. Consequently, addressing enterprise security concerns has emerged as the biggest challenge for the adoption of SaS applications in the cloud (Heidi Lo et al., 2009). However, to overcome the customer concerns about application and data security, vendors must address these issues. There is a strong apprehension about insider breaches and vulnerabilities in the availability of the applications and the systems that could lead to loss of sensitive data and money. Such challenges can dissuade enterprises from adopting SaS applications within the cloud.

IaS, on the other hand, changes the way developers deploy their applications. Instead of spending large amounts for their own data centers, managed hosting companies or collocation services and then hiring operations staff to get it going, they can just go to an IaS provider, get a virtual server running in minutes and pay only for the resources they use. IaS allowed its users to consume infrastructure as a service without bothering about the underlying complexities. The cloud has a compelling value proposition in terms of cost, but it only provides basic security (perimeter firewall, load balancing, etc.) and applications moving into the cloud need higher level of security provided at the host.

PaS offers an integrated set of developer environment that a developer can tap to build applications without having any clue about what is going on underneath the service. Developers are provided with a service that provides a complete software development lifecycle management, from planning to design to building applications to deployment to testing to maintenance. Everything else is abstracted away from the “view” of the developers. The negative is that, these advantages can be helpful for a hacker to leverage the PaS cloud infrastructure for malware command and control and go behind IaS applications.

Security issues in SaS

In SaS, the client has to depend on the provider for proper security measures. The provider must do the work to keep multiple users’ from seeing each other’s data. So it becomes difficult to the user to ensure that right security measures are in place and also difficult to get assurance that the application will be available when needed (Choudhary, 2007). With SaS, the cloud customer will be substituting new software applications for old ones. Therefore, the focus is on preserving or enhancing the security functionality provided by the legacy application and achieving a successful data migration (Seccombe et al., 2009).

The SaS software vendor may host the application on its own private server and deploy it on a cloud computing infrastructure service provided by a third-party provider (e.g. Amazon, Google). The use of cloud computing coupled with the pay-as-you-go approach helps the application service provider to reduce the investment in infrastructure services and to concentrate on providing better services to customers.

Read also  Importance Of Software Measurement And Metrics

Over the past few years, computers have become widespread within enterprises, while IT services and computing has become a commodity. Enterprises today view data and business processes (transactions, records, pricing information, etc.) as strategic issues and guard them with access control and compliance policies. Still, in the SaS model, enterprise data is stored at the provider’s data center, along with the data of other enterprises. Moreover, if the SaS provider is leveraging a public cloud computing service, the enterprise data might be stored along with the data of other unrelated SaS applications. The cloud provider might, also, replicate the data at multiple locations across countries for the purposes of maintaining high availability. Most enterprises are familiar with the traditional on-premise model, where the data continues to reside within the enterprise boundary, subject to their policies. Consequently, there is a lot of discomfort with the lack of control and knowledge of how the data is stored and secured in this model. Many concerns exist about data breaches, application vulnerabilities and availability that can lead to financial and legal liabilities. The layered stack for a typical SaS vendor and critical aspects that must be covered in order to ensure security of the enterprise data is illustrated in figure 2.

The following security elements should be carefully considered as an integral part of the SaS application development and deployment process:

Data security

Network security

Data locality

Data integrity

Data segregation

Data access

Authentication and authorization

Data confidentiality

Web application security

Data breaches

Virtualization vulnerability

Availability

Backup

Identity management and sign-on process.

Security issues in PaS

In PaS, the provider might give some control to people in order to build applications on top of the platform. Notably though, any security below the application level, such as prevention of host and network intrusion will still be in the scope of the provider and the provider will have to offer strong assurances that the data remains inaccessible between applications. PaS enables developers to build their own applications on top of the platform. Its built-in capabilities are less complete than those of the SaS model, but it is more flexible to layer on additional security. Applications sufficiently complex to leverage an Enterprise Service Bus (ESB) need to secure the ESB directly, leveraging a protocol such as Web Service Security (Oracle, 2009). The ability to segment ESBs is not available in PaS environments. Metrics should be in place to assess the effectiveness of the application security programs. Among the direct application, security specific metrics available are vulnerability scores and patch coverage. These metrics indicate the application coding quality. Attention should be paid on how malicious actors react to new cloud application architectures that obscure application components from their scrutiny. Hackers are likely to attack visible codes and specifically their infrastructure and to perform extensive black box testing. The vulnerabilities of cloud are also associated with the machine-to-machine SOA applications, which are increasingly deployed in the cloud.

Security issues in IaS

With IaS the developer has control over security as long as there is no security hole in the virtualization manager. It is notable though that in practice there are plenty of security problems (Gajek et al., 2007). Regarding the reliability of the data stored within the provider’s hardware, due to the growing virtualization of “everything” in information society, retaining control over data to the owner of data regardless of its physical location will become a topic of utmost interest. To achieve utmost trust and security on a cloud resource, several techniques have to be applied (Descher et al., 2009). The security responsibilities of both the provider and the consumer greatly differ between cloud service models. For example, Amazon’s Elastic Compute Cloud (EC2) (Amazon, 2010) infrastructure as a service offering, includes vendor responsibility for security up to the hypervisor, so that they can only address security controls such as physical, environmental, and virtualization security. The consumer, in turn, is responsible for the security controls that relate to the IT system including the applications and the data (Seccombe et al., 2009).

Deployment Model Impact

IaS is prone to various degrees of security issues based on the cloud deployment model through which it is being delivered. Public cloud poses the major risk whereas private cloud seems to have less risk impact. Physical security of infrastructure and disaster management if any damage incurred to the infrastructure (either naturally or intentionally), is of utmost importance. Infrastructure not only pertains to the hardware where data is processed and stored but also to the path where it is getting transmitted. In a typical cloud environment, data will be transmitted from source to destination through an infinite number of third-party infrastructure devices. There is a high possibility that data can be routed through an intruder’s infrastructure.

Although cloud architecture is an improvised technology, the underlying technologies are mainly the same. The cloud is built over the internet and all the concerns related to security in internet are also posed by the cloud. The basis of the cloud technology makes the consumer and provider reside at different location and virtually access the resources over the Internet. Even if enormous amount of security is put in place in the cloud, still the data is transmitted through the normal underlying Internet technology. As a result, the security concerns which threaten the Internet, also threaten the cloud.

Read also  The outsourcing of ICT by Tesco

In a cloud, the risks are extremely high. This is due to the vulnerability and the asset value of the resources and their nature residing together. Cloud systems still use normal protocols and security measures that are used in the Internet but the requirements are at a higher extent. Encryption and secure protocols cater to the needs to an extent but they are not context oriented. A robust set of policies and protocols is required to help secure transmission of data within the cloud. Concerns regarding intrusion of data by external non users of the cloud through the internet should also be considered. Finally, measures are needed to make the cloud environment secure, private and isolated in the Internet so as to avoid cyber criminals who may attack it.

Examples

Cloud Security not only encompasses the security of data sitting in the provider’s cloud but also includes authorization to data access, security of data en route, encryption at the source, and other related aspects. Real world examples shed light on creative ways employed by companies to implement cloud security at different levels.

SaS Example (Cloud Security Feature – Single Sign-on): A medical device company wanted to use Google Apps and a SaS-based training application called eLeap. A couple of issues arose mainly around the single sign-on: the company did not want to store the users’ credentials in the cloud, but wanted to control the user creation and termination in-house and had an already existing AD infrastructure that needed to be used for authentication purposes. All of these requirements were implemented by virtue of delegating the Google Apps authentication to an authentication provider from Symplified that authenticated users against the company’s AD; based on the result of the authentication the users were either allowed or denied access to Google Apps. The IT department at the company is able to use standard Windows screens for maintaining users, the cloud services are running on the provider infrastructure and all these disparate systems have been glued together using the authentication provider.

IaS Example (Cloud Security Feature – Data Encryption): A bank in NY was using cumbersome and slow tape-backups for backing up the bank’s data, when it was decided to back-up this data in the cloud. Zserver from Zecurion was used, which sends the bank’s files to the cloud. The bank’s primary concern was data encryption; it did not want to use the provider’s encryption services therefore the bank encrypted files itself on premise before sending them over the wire to the provider (Brandel, 2011).

Private on-site Cloud Example (Cloud Security Feature – Virtualization): SnagAJob was updating its infrastructure and aimed at achieving 100% virtualization. The options were either to use the IaS services provided by any cloud provider or to build it themselves. The decision was to build a private on-site cloud. The reasoning for not using outside vendor was the dynamic nature of the business and entrepreneurial environment where most of the R&D work might not make it to the production environment. The company secured its cloud using a virtual firewall from Altor Networks; the traditional physical firewall and intrusion detection and prevention devices were installed only at the perimeter. The Altor firewall protected the virtual machines in the cloud and the IT team could also see the flow of data between virtual machines.

Conclusion

There are extreme advantages in using a cloud-based system. Yet there are many practical problems which have to be solved. Cloud computing is a disruptive technology with profound implications not only for Internet services but for the IT sector in general. Still, several outstanding issues exist, particularly related to service-level agreements (SLA), security, privacy, and power efficiency. Currently security has a lot of loose ends which scare away potential users. Until a proper security module is not in place, potential users will not be able to leverage the advantages of this technology. Though there are many practical concerns regarding to dynamic security and data storage based on meta-data, information research should aim to derive a framework which targets these concepts and to provide a practical solution. With problems come opportunities and the same applies for cloud computing security. Any vendor who could provide a solution to the security problems of cloud computing will win the trust of potential customers. Through advancements in cloud security a vendor could gain a differentiating advantage over other vendors.

Order Now

Order Now

Type of Paper
Subject
Deadline
Number of Pages
(275 words)