Term paper

Security: now
and Then

Submitted to Submitted by
Neha bassan Rashmi Burman
11410590
B-57
Introduction
Cloud computing has led to a shift in how
people think about IT systems architecture.
Many organizations today are either
implementing cloud-based solutions, or
evaluating which cloud-based solutions they
will be implementing in the future.
According to gartener Inc. cloud computing
is "no less influential than e-business". This
shift in architecture from an enterprise-based
traditional server-based system to a cloud-
based system will have associated costs of
entry and risks, but it can result in enormous
benefits in savings and in IT and business
agility. While there is considerable pressure
on organizations to consider moving to the
cloud-based services, security issues
continue to be one of the largest concerns that
organizations have about this move. The
different cloud-based deployment models,
including private, public or hybrid cloud,
bring with them a range of challenges, and
security concerns cut across them all. Many
organizations will need to apply best practice
security standards that are far in excess of
those that they currently implement with their
on-premise systems. The migration or
adoption of cloud services then can provide
an advantage in that firms can design, from
the ground up, their new cloud-based
infrastructures with security "baked-in"; this
is in contrast to the piecemeal and "after the
fact" or "bolted-on" nature of security seen in
most data centers today. The cloud service
model that an organization wants to
implement influences security design and
implementation. We will cover the three
cloud computing service
models: Infrastructure as a Service
iaas , and Software as a Service saas . These
models all have different security issues that
need to be considered and more importantly,
a determination of the balance of
responsibilities between the customer and the
cloud provider for each of the service models
also needs to be made.
Cloud computing security
Trust
The concept of trust, adjusted to the case of
two parties involved in a transaction, can be
described as follows: An entity A is
considered to trust another entity B when
entity A believes that entity B will behave
exactly as expected and required.
Thereinafter, an entity can be considered
trustworthy, if the parties or people involved
in transactions with that entity rely on its
credibility. In general, the concept described
above can be verbally represented by the term
reliability, which refers to the quality of a
person or entity that is worthy of trust. Trust
in the information society is built on various
different grounds, based on calculus, on
knowledge or on social reasons . The notion
of trust in an organization could be defined as
the customers certainty that the organization
is capable of providing the required services
accurately and infallibly. A certainty which
also expresses the customers faith in its
moral integrity, in the soundness of its
operation, in the effectiveness of its security
mechanisms, in its expertise and in its
abidance by all regulations and laws, while at
the same time, it also contains the
acknowledgement of a minimum risk factor,
by the relying party. The notion of security
refers to a given situation where all possible
risks are either eliminated or brought to an
absolute minimum .Trust in a cloud
environment depends heavily on the selected
deployment model, as governance of data and
applications is outsourced and delegated out
of the owners strict control. In traditional
architectures, trust was enforced by an
efficient security policy, which addressed
constraints on functions and flow among
them, constraints on access by external
systems and adversaries including programs
and access to data by people. In a cloud
deployment, this perception is totally
obscured. In the case of public or community
clouds, control is delegated to the
organization owning the infrastructure. When
deploying on a public cloud, control is
mitigated to the infrastructure owner to
enforce a sufficient security policy that
guarantees that appropriate security activities
are being performed to ensure that risk is
reduced. This introduces a number of risks
and threats, as essentially security is related
to trusting the processes and computing base
implemented by the cloud owner. It is crucial
to differentiate between deployment models,
as a private cloud, where the infrastructure is
operated and managed on premise by a
private organization, does not introduce
additional unique security challenges, as trust
remains within the organization. In such a
situation the infrastructures owner remains
the data and process owner
Security identification of
threats
Essentially securing an Information System
(IS), involves identifying unique threats and
challenges which need to be addressed by
implementing the appropriate
countermeasures. Ultimately, the identified
security requirements and selected security
controls are introduced to the standard
systems engineering process, to effectively
integrate the security controls with the
information systems functional and
operational requirements, as well as other
pertinent system requirements
(e.g., reliability, maintainability,
supportability). Cloud computing due to its
architectural design and characteristics
imposes a number of security benefits, which
include centralization of security, data and
process segmentation, redundancy and high
availability. While many traditional risks are
countered effectively, due to the
infrastructures singular characteristics, a
number of distinctive security challenges are
introduced. Cloud computing has unique
attributes that require risk assessment in areas
such as availability and reliability issues, data
integrity, recovery, and privacy and
auditing. Security in general, is related to the
important aspects of confidentiality, integrity
and availability; they thus become building
blocks to be used in designing secure
systems. These important aspects of security,
apply to the three broad categories of assets
which are necessary to be secured, data,
software and hardware resources. The cloud
infrastructure proposes unique security
challenges which need to be considered in
detail.

.1. Confidentiality and privacy
Confidentiality refers to only authorized
parties or systems having the ability to access
protected data. The threat of data
compromise increases in the cloud, due to the
increased number of parties, devices and
applications involved, that leads to an
increase in the number of points of access.
Delegating data control to the cloud,
inversely leads to an increase in the risk of
data compromise, as the data becomes
accessible to an augmented number of
parties. A number of concerns emerge
regarding the issues of multitenancy, data
remanence, application security and privacy
2. Integrity
Integrity means that assets can be modified
only by authorized parties or in authorized
ways and refers to data, software and
hardware. Data Integrity refers to protecting
data from unauthorized deletion,
modification or fabrication. Managing an
entitys admittance and rights to specific
enterprise resources ensures that valuable
data and services are not abused,
misappropriated or stolen. By preventing
unauthorized access, organizations can
achieve greater confidence in data and
system integrity. Additionally, such
mechanisms offer the greater visibility into
determining who or what may have altered
data or system information, potentially
affecting their integrity (accountability).
Authorization is the mechanism by which a
system determines what level of access a
particular authenticated user should have to
secured resources controlled by the system.
Due to the increased number of entities and
access points in a cloud environment,
authorization is crucial in assuring that only
authorized entities can interact with data.
A cloud computing provider is trusted to
maintain data integrity and accuracy. The
cloud model presents a number of threats
including sophisticated insider attacks on
these data attributes.
3. Availability
Availability refers to the property of a system
being accessible and usable upon demand by
an authorized entity. System availability
includes a systems ability to carry on
operations even when some authorities
misbehave. The system must have the ability
to continue operations even in the possibility
of a security breach. Availability refers to
data, software but also hardware being
available to authorized users upon demand.
Leveraging users from hardware
infrastructure demands, generates a heavy
reliance on the ubiquitous networks
availability. The network in now burdened
with data retrieval and processing. The cloud
owner needs to guarantee that information
and information processing is available to
clients upon demand. System availability
includes a systems ability to carry on
operations even when some authorities
misbehave. The system must have the ability
to continue operations even in the possibility
of a security breach. Cloud computing
services present a heavy reliance on the
resource infrastructures and network
availability at all times.
4. Trusted Third Party
We claim that employing Trusted Third Party
services within the cloud, leads to the
establishment of the necessary Trust level
and provides ideal solutions to preserve the
confidentiality, integrity and authenticity of
data and communications [21] (Fig. 2). In
cryptography, a Trusted Third Party (TTP) is
an entity which facilitates secure interactions
between two parties who both trust this third
party. The scope of a TTP within an
Information System is to provide end-to-end
security services, which are scalable, based
on standards and useful across different
domains, geographical areas and
specialisation sectors. The establishment and
the assurance of a trust relationship between
two transacting parties shall be concluded as
a result of specific acceptances, techniques
and mechanisms. The Third Party reviews all
critical transaction communications between
the parties, based on the ease of creating
fraudulent digital content. Introducing a
Trusted Third Party can specifically address
the loss of the traditional security boundary
by producing trusted security domains. As
described by Castell, A Trusted Third Party
is an impartial organization delivering
business confidence, through commercial
and technical security features, to an
electronic transaction. It supplies technically
and legally reliable means of carrying out,
facilitating, producing independent evidence
about and/or arbitrating on an electronic
transaction.
Cloud security controls
Cloud security architecture is effective only
if the correct defensive implementations are
in place. An efficient cloud security
architecture should recognize the issues that
will arise with security management.[8] The
security management addresses these issues
with security controls. These controls are put
in place to safeguard any weaknesses in the
system and reduce the effect of an attack.
While there are many types of controls
behind a cloud security architecture, they can
usually be found in one of the following
categories.
Deterrent controls-
These controls are intended to reduce attacks
on a cloud system. Much like a warning sign
on a fence or a property, deterrent controls
typically reduce the threat level by informing
potential attackers that there will be adverse
consequences for them if they proceed.
(Some consider them a subset of preventive
controls.)
Preventive controls
Preventive controls strengthen the system
against incidents, generally by reducing if not
actually eliminating vulnerabilities. Strong
authentication of cloud users, forinstance,
makes it less likely that unauthorized users
can access cloud systems, and more likely
that cloud users are positively identified.
Detective controls
Detective controls are intended to detect and
react appropriately to any incidents that
occur. In the event of an attack, a detective
control will signal the preventative or
corrective controls to address the
issue.[8] System and network security
monitoring, including intrusion detection and
prevention arrangements, are typically
employed to detect attacks on cloud systems
and the supporting communications
infrastructure.
Corrective controls
Corrective controls reduce the consequences
of an incident, normally by limiting the
damage. They come into effect during or after
an incident. Restoring system backups in
order to rebuild a compromised system is an
example of a corrective control.
Security and privacy
Identity management
Every enterprise will have its own identity
management system to control access to
information and computing resources. Cloud
providers either integrate the customers
identity management system into their own
infrastructure,using federation or SSO techn
ology, or a biometric-based identification
system,[1] or provide an identity management
system of their own. Cloud ID, for instance,
provides privacy-preserving cloud-based and
cross-enterprise biometric identification. It
links the confidential information of the users
to their biometrics and stores it in an
encrypted fashion. Making use of a
searchable encryption technique, biometric
identification is performed in encrypted
domain to make sure that the cloud provider
or potential attackers do not gain access to
any sensitive data or even the contents of the
individual queries.
Physical security
Cloud service providers physically secure the
IT hardware (servers, routers, cables etc.)
against unauthorized access, interference,
theft, fires, floods etc. and ensure that
essential supplies (such as electricity) are
sufficiently robust to minimize the possibility
of disruption. This is normally achieved by
serving cloud applications from 'world-class'
(i.e. professionally specified, designed,
constructed, managed, monitored and
maintained) data centers.
Personnel security
Various information security concerns
relating to the IT and other professionals
associated with cloud services are typically
handled through pre-, para- and post-
employment activities such as security
screening potential recruits, security
awareness and training programs, proactive.
Privacy
Providers ensure that all critical data (credit
card numbers, for example) are masked or
encrypted and that only authorized users have
access to data in its entirety. Moreover,
digital identities and credentials must be
protected as should any data that the provider
collects or produces about customer activity
in the cloud.
Cloud security: Now
Todays cloud computing environment goes
well beyond what most could even have
imagined at the birth of modern computing
and innovation in the field isnt slowing.
From digital assistants to smart cars to virtual
reality to the internet of things, all of the latest
modernizations rely on cloud technology.
But so too do most of the traditional services
individuals and organizations rely on.
Although weve seen new products and
services focused on managing money, the
traditional banking institutions
developing their own services and the
environment is nearly unrecognizable to that
of ten years ago. Who can even imagine a
world without internet banking?
And the benefits cloud computing
promises education are immense. Already,
cloud technology is changing the way
students learn and extending access to
schooling into remote and impoverished
areas. Though schools and universities are
adopting cloud technologies themselves,
many startups such as Education
Modified, KikoLabs, and HSTRY, are
coming up with new methods and platforms
which enhance and further learning.
Cloud security: Then
Its predicted that the cloud service market
will be worth around $108 billion next year,
and by 2020 the number of connected devices
worldwide is expected to reach 25 billion.
Further estimates suggest cloud computing
offers green benefits too, and US
organizations moving to the cloud before
2020 will save $12.3 billion in energy costs.
Gartner points to a hybrid cloud
infrastructure in the coming years, and says
Ed Anderson, I start to think of a multi-
cloud environment as a foundation for a next
wave of applications. And according to
Forrester Research, were on the cusp of the
second wave of cloud computing, with
service providers focused on next-gen
applications that require Omni channel
support, time-based analytics, and micro
service support. The barrier to entering the
cloud seems likely to shrink significantly due
to adjusted compliance requirements and
regulations, and although security already is
a primary focus, with the expansion of cloud,
its importance will be magnified. Finally, due
to the high demand for cloud services, service
providers will soon, if not already, be
building next-generation architecture on
are
hyper-converged platforms further reducing
maintenance costs and speeding up
scalability.
Conclusion
Inevitably cloud computing will support a
surplus of information systems as the benefits
outnumber its shortcomings. Cloud
computing offers deployment architecture,
with the ability to address vulnerabilities
recognized in traditional IS but its dynamic
characteristics are able to deter the
effectiveness of traditional countermeasures..
To do so, software engineering and
information systems design approaches were
adopted. Security in a cloud environment
requires a systemic point of view, from which
security will be constructed on trust,
mitigating protection to a trusted third party.
A combination of PKI, LDAP and SSO can
address most of the identified threats in cloud
computing dealing with the integrity,
confidentiality, authenticity and availability
of data and communications. The solution,
presents a horizontal level of service,
available to all implicated entities, that
realizes a security mesh through federations,
within which essential trust i
Reference
https://www.finecomb.com
http://www.sciencedirect.com
https://www-ssl.intel.com
https://en.wikipedia.org/wiki/Cloud_comput
ing_security
https://www.google.co.in/search?q=images+
of+cloud+security