Cloud computing is the latest buzz word out in information technology world. Cloud computing is a model accountable for pay-per-use access a large variety of computational resources and third part application on a massive scale using internet as a medium. Many of the prominent organizations are following the trend to move some portion or sometimes all of their information technologies operation to an enterprise cloud computing. But this increased use made the cloud systems more attractive targets to various internet based security threats and in particular concerns have been raised in the area of database security in a cloud network. In this discussion, we cover an overview of cloud computing model, then some issues regarding the cloud security.
There are various definitions of cloud computing but the most accurate definition is given by NIST as follows:
Cloud computing: “ A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services), that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of three service models, and four deployment models and five essential characteristics. “
Some characteristics of cloud computing includes the following:
- Broad network access: Cloud systems provide the services available over the network and can be accessed by the latest client platforms, such as smartphones, laptops or PDAs, as well as other cloud based software services and traditional client platforms.
- Elasticity: In cloud computing, a user can expand or reduce the resources as par the requirements change. If a resource is no longer required, then it can be released for some other use. For example, to complete a complex task, you may need a large number of servers and when the task is completed, you can release the resources (servers) for some other process.
- Measured Service: Cloud systems control and optimize the use of resources automatically, implementing some controls which are responsible to control the availability of the resources for particular users. These services may include bandwidth, storage, processing and active user accounts etc. The use of resources can be controlled, monitored and reported. This facility provides transparency for both the consumer and provider of the utilized service.
- On-demand self-service: Cloud computing works on a model that offers all the resources shared at the host level, network, level and application level. In this model, a resource can be used by multiple users. It is not necessary for a user to interact with each service provider for provisioning computing capabilities such as server time and network storage. The resources are not a permanent part of users IT infrastructure because the service is on demand.
- Resource pooling: In cloud computing model, different physical and virtual resources of the provider, are pooled together to serve multiple consumers using a multi-tenant model. The resources are assigned and reassigned dynamically as par he consumer’s demand. In this model it is possible that a consumer can specify location of the resources at a higher level of abstraction such as country or state, but he has no knowledge or control over the exact location of the resources provided. The examples of the resources include storage, processing, memory, network bandwidth and virtual machines. Even the private clouds have a tendency to pool the resources available between the parts of the same organization.
In the Figure 1, the relationship between various models and characteristics are given below:
Figure 1: Relationship between various models and characteristic of cloud
The NIST defines three models for cloud computing and these models can be viewed as nested service alternatives:
- Software as a service (SaaS): In this model, users are capable of using the provider’s applications running on a cloud infrastructure. A thin client interface such as a web browser is used to access these services via various client devices. A cloud service provides the same functions to an enterprise, instead of obtaining the license of software products it uses for the desktop and the servers. The complexity of software installation, maintenance, upgrades an patches is saved by the SaaS.
- Platform as a service (PaaS): In this model, a user is allowed to deploy some consumer created or acquired software of his own, developed using programing languages and tools supported by the cloud provider, onto the cloud infrastructure. This model provides an easier way to develop various services and business applications over the internet. The services like databases and component services used by applications are often provided by PaaS. Key examples are Google AppEngine, Microsoft’s Azure, Heroku.com, etc.
- Infrastructure as a service (IaaS): This model is the delivery of the computer infrastructure as a service. Its main benefit is that it allows the user to pay as they grow. Another advantage of IaaS is that of always using the latest technology. Using IaaS, the customer can achieve a much faster time to market and service delivery to market. Key examples are GoGrid, Flexiscale, Layered Technologies, AppNexeus, Joyent, and Mosso/Rackspace, etc.
There are four deployment models defined by NIST:
- Public cloud: When an organization, who owns the cloud services, sells the cloud services to general public or a large industry group, it is called a public cloud. The service provider has both the infrastructure and the control of the cloud.
- Private cloud: This type of cloud infrastructure is operated solely by an organization. This infrastructure may exist off premise or on premise and managed by a third party or by the organization itself. The responsibility of the cloud provider is only the infrastructure and not for control.
- Community Cloud: When a several organizations share a cloud infrastructure which provide support to a specific community with shared concerns, such as mission security requirements, policy etc, a community cloud is used. . This infrastructure may exist off premise or on premise and managed by a third party or by the organization itself.
- Hybrid Cloud: When multiple cloud infrastructures bound together by proprietary or standardized technology that enables application and data portability (cloud bursting for balancing the loads between clouds), then this type of cloud is called hybrid cloud. The different clouds combined in this model remain their unique entities.
Figure 2 illustrates the typical cloud service context. Workstations are maintained by an enterprise within a set of enterprise LAN. These workstations are connected to a cloud service provider by a router through a network or internet. This cloud service provider is managing a massive collection of servers with various network management, redundancy and security tools. The cloud is represented by a common architecture known as blade servers:
Figure 2: Cloud Computing Context
Cloud Security Risks
The security controls used in cloud computing models are generally similar to those controls used in any other IT environment. But because the operational technologies and models used to implement cloud structure are very specific and sophisticated, some risks can be specific to cloud computing only. The concept in this regard is that organization must maintain accountability for privacy policies and security even they loses a significant amount of control over services, applications and resources.
The top cloud-specific security risks as described by Cloud security Alliance are listed below:
- Abuse and nefarious use of cloud computing: For many cloud providers, It is easy to register and start using the cloud services. It provides ample opportunities to an attacker to get inside the cloud and then perform various attacks such as DoSs, malicious code attacks and spam attacks. It is cloud provider’s responsibility to mitigate these attacks but the client must also monitor activities with respect to their data and resources to detect any malicious behaviour.
- Insecure interfaces and API: Every cloud provider provides some set of software interface or API through which a client can access the cloud services. The availability and security of cloud resources are directly related to the security of these APIs. These APIs must use the tools and techniques required to provide security to cloud services such as use of encryption, authentication and access control and monitoring the activities over cloud interface, o prevent both accidental and malicious attempts to circumvent policy.
- Malicious insiders: One of the main security threats facing by the modern cloud infrastructures is risk of malicious insider activity. These insiders can be cloud provider’s system administrator and managed security service provider.
- Data loss or leakage: The loss of data or leakage of data from a cloud architecture is one of the biggest security problem being faced by cloud industry. Databases shared on cloud systems are one of the most targeted resource for attackers.
There are various other challenges and security concerns when implementing the clouds such as unknown risk profiles, account or service hijacking and issues related to shared technologies.
Cloud computing is one of the most interesting and aggressively developing area of IT industry. A lot of research is being done in development of cloud infrastructure which can sustain its services in the wake of increasing security threats. This discussion provides an overview of cloud system and some of the challenges being faced by this industry.