Cloud Computing refers to manipulating, accessing and configuring the applications online. It offers online data storage, infrastructure and… [600111]
1
CHAPTER 1
1.1 INTRODUCTION
Cloud Computing refers to manipulating, accessing and configuring the applications online.
It offers online data storage, infrastructure and application. Cloud computing is an IT
operationform , based on virtualization, where resources, in terms of infrastructure, appliance
and data are deployed via the internet as a distributed service by one or some service
providers [3]. These services are scalable on require and can be value d on a pay per use basis.
Cloud infrastructure provid es extensive facilities for the client such as process , storage ,
power , networks, space and other computational possessions , so that the customer can set and
perform their convention software as well as applications and operating system . Client does
not supervise or organize the cloud infrastructure yet they have been in charge of on
operating systems, applications, storage space and probably their collection and components
[11]. One of the main apprehension in cloud computing is the possibility of incursio n of
privacy. As cloud computing is achieving augmented popularity, apprehension are being
voiced about the safety issues bring in through the acceptance of this new model. The
usefulness and efficiency of conventional protection mechanisms are being recon sidered , as
the description of this inventive deployment model, be different broadly from them of
conventional architectures. In this thesis we attempt to expose the exclusive security
challenges introduced in cloud surroundings and clarify issues from a safety standpoint [5].
Fig 1.1 Cloud Computing
2
This thesis proposes a safety and authenticity measures solution, which leverages customers
from the safety burden, by trusting a Third Party. The Third Party is tasked with assuring
specific safety characteristics inside a distributed in order system. Authentication is the
procedure of decisive whether someone or something is, infact, who or what it is stated to be.
In public and private computer networks as well as the Internet, authentication is usuall y
complete through the use of login id and passwords. Knowledge of the password is supposed
to guarantee that the user is authentic [1, 16]. Each user registers to begin with ( or is
registered by someone else), by means of an assigned or self -declared pass word. On
eachsubsequent use, the user must know and use the beforehand declared password. The
faultin this system for communication that is considerable is that passwords can often be
stolen, by chance revealed, or forgotten . In this authentication procedur e, the web server is
hosting the websites. The clients can right of entry this website by internet. Here the web
server is having their own database servers any verification module [ 3]. The client will give
his identity which is his user name and password; this in sequence will be forwarded to the
server. Server will fire a enquiry to the database server and if the database server establish
that user then the web server will permit the user to admission his private pages. So,
essentially this is the conserv ative authentication method .
In Third party authentication, authentication
technique will be done by the other webserver not by that web server which hosted the
website. Hosting web location server rent the authentication facility as per agreement. T he
client will make available the user name and password and this will be forwarded to the third
party authentication server it will validate the user and the web location hosted server will
allow accessing the web site [16]. Service oriented architecture (SOA) is a lithe set of intend
philosophy used during the phases of systems ripeness and addition in computing. A system
based on a SOAwill encloses functionality as a matching set of interoperable services that can
be used inside multiple separate systems from numerous business domains. The recent
appearance of cloud computing has significantly changed everyone’s examination of
infrastructurearchitectures, software liberate and improvement model s. Projecting as a
progression step, subsequent the evolution from mainframe computers to client/server
exploitation models, cloud computing contain elements from usefulness computing , grid
computing and autonomic computing, into current deployment design [17]. This express
exchangeon the way to the clouds has augmen t concerns ona considerable issue for the
achievement of information systems and security. From a sanctuary point of view, a number
of unchartered threats andchallenge have been originated from this substitution to the clouds,
3
waning much of the expediency of expected safety mechanisms . As a result the aim of this
thesis is twofold; firstly to consider cloud safety by identifying exclusive security needs and
secondly to attempt to present a possible solution that diminish these potential threats. This
thesi s proposes a Trusted Third Party, tasked with assurance definite security characteristics
within a cloud location [30]. The proposed solution calls leading higher bit cryptography,
particularly LDAP, to make sure the integrity , authentication and confident iality of concerned
data and communications in cloud environment .
1.1.1 History
The conception of Cloud Computing came into subsistence in 1950 with execution of
mainframe computers, reachable via thin/static clients . Since then, cloud computing has been
progress from stationary clients to dynamic ones from software to services. The following
plan describes the evolution of cloud computing .
Fig. 1.2 History of Cloud Computing
1.1.2 Benefits
Cloud Computing has several recompense . Some of them are li sted below:
1. One can right of entry applications as utilities, over the Internet.
4
2. Stage-manage and configure the relevance online at any time.
3. It does not necessitate installing a explicit piece of software to right to use or
manipulating cloud applicatio n.
4. Cloud computing propose online progress and deployment tools, programming
runtime surroundings through Platform as a Service model .
5. Cloud resources are accessible over the network in a method that provides platform
independent right of entry to any ty pe of clients.
6. Cloud computing put forward on-demand self -service . The resources can be used
lacking interaction with cloud service contributor .
7. Cloud Computing is extremely cost effective since it operates at higher efficiencies
with larger utilization. It just has need of an Internet connection.
8. Cloud Computing offers load comparison that makes it more reliable.
CONSIDERATIONS
CLOUD BENEFITS
Infrastructure 1. Replaces various IT platforms and legacy infrastructures, which
frequently operate as information silos, with a combined platform.
2. Supports geographically spread teams and mobile workers with a
sole infrastructure in the cloud.
Business model 1. Assist simplify budgeting, because the cloud‘s all -inclusive
pricing replica eliminate the want to estimate hardware, licensing,
facility , and sustain fees separately.
2. Can restore capital expenditures with anaddedexpected monthly
service fee.
Availability 1. Provides network -based right of entry to applications email,
documents, calendar s,contacts and more from nearly anywhere on
almost any device.
2. Supports obviousness and suppleness for all or part of your
association with pay -as-you-go pricing options.
5
Management 1. Off-load operational protection of the services, thus reducing
your administrative operating cost .
2. Includes business -class description , such as a service level
agreement (SLA), IT-level phone support, of 99.9 -percent uptime
geographic severance , and disaster recovery.
Technology updates 1. Deploys updates seamles sly so you don‘t need to manage
software operation development .
Scale 1. Accommodates zenith and v alleys in order automatically a nd you
pay only for what you utilize .
2. Reduces capital and functioning payment connected with
equipping and supervision data centers to serve peak capacity
periods.
Table 1.1 Benefits of cloud messaging and collaboration services
1.2 CLOUD COMPUTING TECHNOLOGIES
There are definite technologies that are working at the back the cloud computing stage
making clou d computi ng flexible, trustworthy and usable [27, 32]. These technologies are
listed below:
1. Virtualization
2. Service -Oriented Architecture (SOA)
3. Grid Computing
4. Utility Computing
1. Virtualization
Virtualization is a technique, which allows sharing single physical instance of an application
or resource among multiple organizations or tenants (customers) [8]. It does so by assigning a
logical name to a physical resource and providing a pointer to that physical resource when
demanded.
6
Fig 1.3 Virtua lized Cloud Model
The Multitenant architecture offers virtual isolation among the multiple tenants and therefore
the organizations can use and customize the application as though they each have its own
instance running.
2. Service -Oriented Architecture (SOA)
Service -Oriented Architecture helps to use applications as a service for other relevance
regardless the type of trader , creation or technology [27]. Therefore, it is potential to
substitute of data among applications of different merchant without other programming or
making changes to services. Cloud computing -service familiarized architecture [35].
7
Fig 1.4Service Oriented Architecture
3. Grid Computing
Grid Computing refers to distributed computing in which a collection of computers from
nume rous locations are associated with each other to accomplish common objective. These
computer resources are diverse and geographically spread . Grid Computing breaks multipart
task into minor pieces [17]. These smaller pieces are distributed to CPUs that
inhabitcontained by the grid.
8
Fig 1.5 Utility Computing
Usefulness computing is based on pay per model. It propose s computational resources on
require as a metered provision . Cloud computing, managed IT services and grid computing are
based on the conceptio n of utility computing.
1.3 CLOUD COMPUTING ARCHITECTURE
Cloud service m odels basically imply what type of services can be offer ed to customers.
Cloud as a Service, where can be change d by any one of the following: Security,
Infrastructure , Data, Software , Desktop, Platform, IT, Database , Hardware, Computing,
Testing , Storage etc [15].
9
Fig. 1.6 Cloud Computing Architecture
1.3.1 SAAS (Software as a Service)
SAAS is a software form provided by the merchant through an online facility . It provides
network -based right of entry tocommercially accessible software. User interface powered by
"thin client" relevance cloud mechanism ; statement via (Application Program Interfaces
(APIs) , loosely coupled , stateless , semantic , interoperability modular [20]. This will stay
away from capital overheads on software and expansion resources; reduced Return on
Investment (ROI) risk, modernized and iterative updates. On the different , Centralization of
data involve s new/different sanctuary measures. Examples of SaaS consist of Netflix, Intuit
Quick Books Online, Gmail, and Google Docs [32]. The four most important advantages of
Saas are: –
1. Lowered cost of implementation and upgrades
2. Reduced support requirements
3. Increased user adoption
4. Increased speed of deployment
1.3.2 PAAS (Platform as a Service )
PaaS enables companies to develop submission more swiftly and efficiently in a cloud
background using programming languages and tools supported by the contributor . The
significant factor that makes PaaS unique is that it letsdevelopers assemble and deploy web
10
applications on a hosted communications [20]. All centralized system requires new/different
protection measures. Common examples of platforms consist of ,Linux , Windows™ andApple
Mac OS X for operating systems, Windows Mobile, Google Android and Apple iOS for
mobile computing and Microsoft .NET Framework orAdobe AIR the for software
frameworks [30].
1.3.3 IAAS (Infrastructure as a Service)
This is the bottom layer of the cloud stack. It serves as a foundation for the other two layers,
for their implementation . The keyword at the back this stack is virtualization. Usually
platform -independent , infrastructure expenses are shared and thus abridged , service level
agreemen ts (SLAs), self-scaling , pay by usage . Keep away from capital expenditure on
hardware and human resources, reduced ROI risk; low barricade to entry , streamlined and
automated scaling but shortcoming are business competence and productivity mainly depends
on the merchant capabilities, potentially larger long-term cost , centralization have need of
new/different defense measures. With, a corporation can rent essential computing
resourcesfor deploying and storing data or running applications . IaaS enables expre ss
deployment of applications and get better thequickness of IT services by instantly adding
computing processing command and storage capacity when necessary .
1.4 CLOUD DEPLOYMENT MODELS
In spite of the facility model utilized (SaaS, PaaS, or IaaS) there are four deployment models
for cloud services:
Fig. 1. 7CLOUD DEPLOYMENT MODEL
11
1.Public Cloud: The cloud infrastructure is made accessible to the general community or a
large business group and is owned by associations selling cloud services. Means where the
infrastructure exist in totally external of the tenant enterprises.
2. Private Cloud: The cloud infrastructure is operated exclusively for a single association . It
may be managed by the association or a third party and could exist on premises or off
location . IT services are mounted on top of large -scale build up and virtualized infrastructure
within project firewall and consumed in “per transaction” basis.
3.Community Cloud: The cloud infrastructure is collective by quite a few organizations and
suppor ts a precise community that has shared apprehension (e.g. security , mission ,
requirements, considerations , or compliance policy ). It possibly will bemanaged by the
organizations or a third party and may exist on -premises or off -premises.
4. Hybrid Cloud: The cloud infrastructure is a composition of two or further clouds (private,
community, or public) that stay behind unique entities but are bound together by standardized
or proprietary technology that make possible data and application portability (e.g., cl oud
bursting for load -balancing among clouds). Here, the infrastructure and business progression s
reside partly surrounded by the enterprise and partly consumed from third party.
1.5 CLOUD SECURITY CHALLENGES
Cloud Computing, an emergence technology, has placed many challenges in different aspects
[19, 22 ]. Some of these are shown in the following diagram:
12
Fig 1.8 Security Challenges
1.5.1 Security & Privacy
Security and p rivacy of information is the major challenge to cloud computing. Security and
privacy issues can be defeat ed by employing security applications , security hardware and
encryption .
1.5.2 Portability
This is an additional challenge to cloud computing that applications have to easily be
migrated from one cloud provider to another. Ther e should not be merchant lock-in.
However, it is not yet made promising because each of the cloud providers uses diverse
standard languages for their platforms.
1.5.3 Interoperability
Applications on one platform have to be able to incorporate services f rom other platform. It is
made possible via web services. Other than writing such web services is very complex.
13
1.5.4 Computing Performance
To carry data intensive applications on cloud have need of high network bandwidth, which
results in high price . If done at low bandwidth, then it does not get together the required
computing performance of cloud application.
1.5.5 Reliability a nd Availability
It is essential for cloud systems to be consistent and robust because mainly of the businesses
are now bec oming dependent relative on services provided by third -party.
1.5.6 Authentication
Cloud service providers ask for customers to store their account information in the cloud ,
Cloud service providers have the right of entry to this information. This presents a privacy
issue to the customer’s privacy information. Many SLAs have specified the privacy of
the susceptible information; however, it is not easy for customers to make sure the correct
rules are enforced [ 1]. There is being short of transparency in the cloud that permit s the
customers to monitor their own seclusion information. When a customer decide to use
multiple cloud service, the customer will have to store his/her password in multiple cloud, the
more cloud service the customer is subscript to, the more copy of the user’s information will
be. This is a safety issue for the customers and the cloud service providers. The numerous
copies of account will lead to several authentication processes. Cloud service providers use
diverse authentication technolo gies for authenticating users, this might have less impact on
SaaS than PaaS and IaaS, but it is current challenge to the customers [32].
1.5.7 Trust
Trust is not an innovative research topic in computer science, on both sides of areas as
diverse as secur ity and right of entry control in computer networks, reliability in distr ibuted
systems, game theory, agent systems, and policies for decision making under improbability .
Possibly the generally notable example was the improvement of the Trusted Computer
System Evaluation Criteria (TCSEC) [30] in the late 70s and near the beginning80s . Here,
trust was used in the procedure of convincing observers that a system (model, implementation
or design ) was accurate and secure . The notion of trust, adjusted to the case of two parties
involved in a transaction, can be described as follows: ‘‘An entity A is considered to trust one
more entity B when entity A think s that entity B will behave exactly as accepted and
required’’ . Thereinafter, an entity can be considered const ant, if the parties or
14
individualsconcerned in transactions with that entity rely on its sincerity . In general, the
perception described above can be verbally represented by the term consistency , which refers
to the excellence of a person or entity that is admirable of trust. Trust in the information the
social order is built on various diverse grounds, based on calculus, on acquaintance or on
social reasons [19]. A conviction which also expresses the customer’s confidence in its moral
truthfulness , in the unassailability of its operation, in the efficiency of its security
mechanisms, in its expertise and in its abidance by all set of laws and laws, while at the same
time, it also restrain s the acknowledgement of a least amount risk factor, by the relying pa rty.
The notion of safety refers to a given condition where all possible risks are either do away
with orbrought to an absolute minimum. The emergence of cloud service models is expected
to guide to a deconstruction of the application services as they are previously delivered in
existing closed service provisioning environments. The capability to
obviouslyauthenticate ,identify, authorize and watch who or what is accessing the assets of an
association is important to defending an IS from threats and vulnerabi lities. Partition is the
key ingredient of any secure system, and is based on the capability to create boundaries
among those entities that must be protected and those which cannot be trusted.This thesis
proposes using a Trusted Third Party inside a cloud environment by enabling trust and using
cryptography to certify the integrity , confidentiality and authenticity of data and
communications, while attempting to address precise security vulnerabilities [17, 19]. The
notion of trust beside a Third Party, communicate s the customer’s faith in specific
ethical ,operational and quality characteristics, at the same time as it also comprise s the
acknowledgement of a minimum risk factor. The relying party clients trust the TTP for the
safety support it is supposed to propose in all transactions .
1.5.8 Confidentiality and Privacy
Confidentiality refers to only authorized parties or systems having the capacity to right of
entry protected data. The threat of data negotiation increases in the cloud, due to the
increased amount of devices ,parties and applications involved, that leads to an enlarge in the
number of points of admission [24]. Delegating data manage to the cloud, the wrong way
round leads to an increase in the risk of data compromise, as the data becomes easy to get to
an augmented number of parties.
1.5.9 Integrity
A key feature of information s ecurity is integrity. Integrity means that assets can be
customized only by authorized parties or in authorized ways and refers to data, software and
15
the hardware. A cloud computing contributor is trusted to preserve data integrity and
accuracy [2]. The cloud model presents a number of threats counting sophisticated insider
attacks on thesedata aspect s. Software Integrity refers to defending software from
unauthorized modif ication , deletion , theft or fabrication. Deletion, fabrication ormodification
can be intentional orunintentional.
1.5.10 Availability
Availability refers to the property of a system being easy to get to and usable upon insist by
an authorized entity. Sys tem availability comprise s a systems ability to carry on operations
even when some authorities behave badly . To guarantee that information and information
processingis offered to clients upon demand. The security objectives within a distrib uted
system are essentially [17 ]. Evaluation of the related works with the survey presented in
thisconcerning the security landscape, security incidents , industry references and iss ues,
solutions and summary.
Table 1. 2Comparison of yearly security landscape, industry re ferences, security incidents
and iss ues, solutions
1.6 CLOUD SECURITY ISSUES
Security is a major subject in information technology business environment. Since clients and
users shifted from grid computing to c loud computing in their business, numerous security
16
issues emerged, which is a major concern for the cloud contributor due to the risk of losing
customers .Security in cloud computing is a most important concern. Data in cloud should be
store in encrypted form. To confine client from direct accessing the shared data, proxy and
brokerage services should be employed [12].
1.6.1 Security Boundaries
A particular service representation defines the boundary among the responsibilities of service
provider and end user . Cloud Security Alliance (CSA) stack mo del defines the boundaries
among each service model and shows how different functional units relate to each other [23].
The following illustration shows theCSA stack model:
Fig. 1. 9 Cloud Security Issues
1.7 UNDERSTANDING DATA SECURITY
In view of the fact that all the data is transferred using Internet, data security is of most
important concern in cloud [25]. Here are key mechanisms for defending data mechanisms
listed below:
17
1. Access Control
2. Authentication
3. Auditing
4. Authorization
5. Encryption
Encryption helps to defend data from being compromised. It protects data that is being
transferred as well as data stored in the cloud. Even though encryption helps to protect data
from any unauthorized access, it does not prevent from data loss. All of the service models
should incorporate security mechanism operati ng in all above -mentioned areas. The cloud
computing is mainly built on virtualization background that enhance more risk of securing
the cloud .
1.7.1 Virtual Security Issues
The virtua l environment area of the cloud computing is the majority sensitive and important
part of the cloud. This is for the reason that all the devices in the cloud are connected
virtually in the course of virtual networks that are running and managing the Inform ation
Technology (IT) infrastructures and virtual servers in the cloud. In virtualization technology,
various Virtual Machines (VM’s) can run on top of a single physical machine, and can run on
any operating system within each VM’s to supervise the infrast ructure. One of the most
important virtual security issues in the cloud are attacks on the network between VM’s, and
the trust between different VM’s [ 12]. There are others problems , such as non -secure Apps
and vulnerability in VM’s, which permit any unaut horized right of entry .
1.Networ k Attacks in Virtual cloud
Running a lot of different virtualization products increases the attackers (especially the
hackers) perimeter. Higgins demonstrated the method of how Amazon’s cloud computing
service (EC2), could be used to hack into other systems by using EC2 cloud service to
consent to a brute force attack, that will fire 400,000 passwords per secon d at a secured
wireless network inside a period of twenty minutes the system would had been attacked.
Furthermore the attackers hacked and shut down Sony’s online client networks in April 2011.
Hackers used cloud based attacks to interrupt service to roughly 100 million users worldwide .
No one should forget the most serious threat by hackers which is the Distributed De nial of
Services attacks (DDOS).
18
2. Distributed Denial of Service (DDOS) Attacks
This attack targets the networks and servers. It makes the network traffic and users being
denied to admission a convinced internet -based service in the cloud. In most unple asant cases
the attackers will use bonnets to perform DDOS. In order to stop hackers of attacking the
network , face blackmail is provided . DDOS attacks should be considered as threats for cloud
providers such AWS, Google Apps, and Microsoft Cloud [25]. The se scenarios show us that
cloud computi ng network is still not secure and this will drive us to non -secure applications.
3. Non -Secure Apps
Cloud applications security is a complicated matter for organizations and customers if they
take no notice of securing their data before deploying it in the cloud. They need to consider
the new threats and attacks spread . Non-Secure applications unlock the doors for further
threats that could result in attacking the cloud through the network and Application
Programmin g Interface (API). Man in the middle assail is one of the problems for non -secure
apps. This attack works as eavesdropping. Here, the attacker produce s independent
connections with the victims and transmits messages among them to make them consider that
they are talking directly to each other over a private connection when in fact the entire
conversation is run and controlled by the attacker [27].
4. Domain Name Server (DNS) Attacks
It’s easy for attackers to attack DNS in cloud computing when the users or clients try to call
the server by name. Since names are a lot easier to remember than Internet Protocol (IP)
addresses, the attacker will create a provisional malicious cloud to fake the user or clients
Hence using IP address is not always possible in DNS since customers will route malicious
cloud . It may happen that still after all the DNS security procedures are implemented,
security inconvenience would exist based on the mode selected between the sender and the
receiver.
1.7.2 Physical Security Issues
Physical safety issues are the other part of the cloud computing security [27]. Although the
data is stored in the virtual server in the cloud, it has to also be stored in physical locations
inside physical hardware. Physical security in the cloud correspo nds to the physical machines
and storage in the datacenter . Physical security matter shows as a loss of physical
control, power failure , human attacks, access con trol, and third party trust . Those physical
19
issues need to be protected also from any insider a nd outsider attackers. Usually the outside
threats are easier to deal with than the inside threats since the outside attacks have been
previously prepared for through risk assessment plans . However, the inside physical security
threats in cloud datacenter constitute the top risks in the cloud.
1. Loss of Physical Control
The loss of physical right of entry control occurs when the clients join the cloud either by
keeping their applications in the cloud, or using cloud storage for saving their data. This los s
of control results in issues and concerns for the clients such as trust and privacy of their data
in the cloud provider’s datacenter , control over their data in the cloud and legal limitations
by cloud provider .
2. Privacy and Data
In the company of private , community and public clouds, customer’s data may not stay in the
same system. In other words, it will not be located in the client premises any more. This
raises numerous legal concerns.
3. Controlsover Data
Customers requirehaving a full contro l over their data, and not limited control and
accountability inside Public clouds such as (IAAS) implementation, and through (PAAS)
operations. Clients need to have confidence that the provider will offer services with
appropriate controls .
4. Legal and Regulatory Compliance
It might be difficult or impracticable for customers to utilize public clouds if their data
require to be processed. This is a topic to legal restrictions or authoritarian compliance.
Customers should expect providers to construct and certify their cloud to address the needs of
regulated markets and accomplish certifications and trust confidentiality among customers
and providers of the services.
5. Human Attacks
Human attacks come about when unauthorized personal tries to right of e ntry the datacenter.
This attack for datacenter co uld be man in the middle attack or malicious insiders such as an
employee of the datacenter. These kinds of attacks are examples of the cloud provider losing
20
their considerable control over securing datacen ters and authorizing human attacker t o enter
their location .
6. Power Failure
In the happening that the datacenter of cloud providers is faced with any variety of problems
which causes power failure, and the providers do not have any failure recovery pla n, then the
data in the cloud is at risk if it is not saved by the client and user during the downtime. This
give rise to the possibility of attackers accessing the servers from end to end the man in the
middle attacks . Amazon’s cloud s ervices infrastructu re faced a power failure matter in their
datacenter in August 2011 where a lot of people who were using AWS were affected by such
an outage because a ll the services were disconnect .
1.8 TRUSTED THIRD PARTY
We declare that employing Trusted Third Party ser vices within the cloud, leads to the
establishment of the essential Trust level and provides ideal solutions to protect the
confidentiality, authenticity and integrity of data and communications .As described by
Castell ,A Trusted Third Party is an impartial association delivering business confidence,
through commercial and technical security description , to an electronic transaction. It supplies
technically and legally consistent means of carrying out, facilitating, producing independent
confirmation about and/ or arbitrating on an electronic transaction. Its services are provided
and underwritten by technical, legal, fina ncial and/or structural means’’ . This infrastructure
leverages a system of digital certificate distribution and a mechanism for associating the se
certificates with known origin and target sites at every participating server. TTP services are
provided and underwritten not only by technical, but also by legal, financial , and structural
means [27].
1. Strong Authentication: The control of faithfuln ess the process of identification of parts
involved in electronic transactions or exchange of information with electronic means.
2. Authorization : The authenticated right of entry to resources, informative systems
anddatabase according to the user’s permi ssion rights and the roles.
3. Data Confidentiality: The protection of information either nearby stored or in
transmission from unauthorized right of entry .
21
4. Data Integrity: The protection of information either locally stored or in transmission from
unauthorized alteration
5. Non-Repudiation: Ensuring that no part of an electronic transaction can reject its
attendance in it. PKI in a distributed information system, benefits from the coupling with a
directory. A directory when coupled with PKI can be us edto distribute .
Trusted Third Party
services inside the cloud, leads to the establishment of the compulsory . Trustlevel and
provides ideal solutions to preserve the confidentiality,integrity and authenticity of data and
communications .In cryptogra phy, a Trusted Third Party (TTP) is an entity whichfacilitates
secure communications between two parties who both trustthis third party. The extent of a
TTP within an information system isto provides end-to-end security services [37].The trusted
third part y can be relied upon for:
1. Low and High level confidentiality .
2. Server and Client Authentication.
3. Creation of Security Domains .
4. Cryptographic Separation of Data.
5. Certificate -Based Authorization .
1. Low and High Level Confidentiality
Securing data travelling over the network is a tough and highlycomplex concern , while the
threat of data modification and datainterruption is continuously rising. A cloud environment
increasesthis complexity as it does not only require protection of traffictowards the cloud but
additionally among cloud hosts, as theylack a conventional physical association PKI enables
implementing IPSec or SSL for secure communications. IPSec is an IP layer protocol that
make possible the sending andreceiving of cryptographically p rotected packets of any kind
(ICMP , UDP, TCP etc.) not including any modification. IPSec provides two kinds of
cryptographic services. Based on inevitability IPSec can provide confidentiality and
authenticity or it can make available authenticity only. IPSe c users are able to
authenticatethemselves to the peer entity, using PKI certificates in a way that increase s
scalability, since only the trusted CA certificate(s)need to be transmitted beforehand. SSL
protocol generates end -to-endencryption by interfacing among applications and the TCP IP
22
protocols to supply client –server authentication and an encrypted communications channel
between client –server . Due to the cloud environments unique characteristics,
communications are required to be protected among users and hosts but also from host -to-
host. Choosing IPSec or SSL depends on the various needs and security requirements. IPSec
is well-matched with any application but requires an IPSec client to be installed on
eachremote device (PC, PDA, etc.) to add the encry ption. In contrast, SSLis assemble d into
each browser, so no particular client software is required.As the cloud environment promotes
use by diverse platformsit is unacceptable to have need of users to install an IPSec client for
encryption. In addition as cloud services are mostly accessedthrough browsers, SSL has a lot
of benefits for client to host communications.On the other hand, IPSec supports using
compression making it additional efficient choice for host -to-host communications . This
work proposes i mplementing IPSec for encrypting communications for host-to-host
communications and SSL for Client -to-Cloud communications.
2. Server and Client Authentication
In a cloud environment a certification influence is required tocertify entities involved in
interactions, these include certifyingphysical infrastructure servers, virtual servers, location
usersand the networks devices . The PKI certification influence is accountable for generating
these required certificates whileregistering these within the trust me sh. In other words,
acertification authority construct s the essential strong credentials forall the physical or virtual
entities involved in a cloud and ittherefore builds a protection domain with specific
limitations withinthe otherwise fuzzy set of entit ies of a cloud. Digital signatures in
combination with RSA and LDAP [17] put into practice the strongest available verification
process in distributed environments while guaranteeing user mobility and flexibility. The
signing private key can be used to aut henticate the user automatically and transparently to
other servers and strategy around thenetwork whenever he/she wants to establish a
connection withthem.While the cloud is becoming the ordinary operating platform, each
service is going to need a secure authorization and authentication process. As the conceptual
boundary among an organizations own service’s and outsourced services becomes‘‘fuzzy’’,
the need to adopt Single -Sign-On solution is significant Users need to make use of
applications deployed on t heir virtual ‘‘office’’ with no having to repeat the confirmation
processon each service (application) provider or maintain various passwords, but make use of
a single strong authentication processthat authorizes them to use services crossways trusted
parties. Eight years before it was all about securing applications inside the enterprise through
23
identity management. Nowadays we talk aboutsecuring applications in the cloud by means of
identities originating withinthe enterprise . Shibboleth is standards -based open source
middleware softwarewhich provides Web Single Sign On (SSO) crossways or inside
organizational limitations It allows sites to make informed authorizationdecisions for
individual right of entry of protected onlineresources in a privacy -preservin g manner.
Shibboleth technologyrelies on a third party to make available the information about auser,
named attributes. In the proposed system architecture, thesis performed by the LDAP , TTP
repository. It is necessary to differentiate the authentication pr ocess from the authorization
process.During the authentication process a user is required to find the way tohis home
organization and authenticate him. During this phaseinformation is exchanged among the
user and his home association only. After the succ essful authentication of a user accordingto
the user attributes/credentials, permission to right of entry resources iseither granted or
rejected. The process in which the user exchangeshis characteristic s with the resource server
is the authorization process throughout which no individual information is leaked and can
only beperformed after flourishing authentication .To maximize interoperability among
communicating parties,it is a necessity to adopt widely used standards. Security
AssertionMarkup Language (SAM L) is an XML -based standard for exchanging
authentication and authorization of data among security domains.The primary function of the
Shibboleth system is to supportidentity federation between numerous sites by means of the
SAML protocol standard. The Shi bboleth and SAML design processes have beencoupled to
insure that Shibboleth is standards -based . Becauseof this design, on a software level, a most
important part of the Shibboleth system is the Open SAML libraries, which are also widely
used. Boththe Open SAML libraries and the Shibboleth software are developedby the
Shibboleth team and released as open source. Shibboleth’sadded value lies in support for
privacy, business process improvement via user attributes, extensive policy controls, and
large -scale federation support via metadata.
3. Creation of Security Domains
Introducing federations, in organization with PKI and LDAP technology,will guide to well-
organized trust relationships between involvedentities. A nalliance is a group of legal entities
that sh are a setof agreed policies and rules for right of entry to online resources.A nalliance
provides a structure and a legal framework that facilitate authorization and authentication
crossways different association s. Cloud infrastructures can be organized in
characteristicsafety domains (an application or collection of applications that all trusta
24
common security token for authentication, authorization or session management) enabling
‘‘Federated clouds’’. Federated Cloudsare a group of single clouds that can in teroperate, i.e.
replace data and computing resources throughout defined interfaces. Accordingto essential
federation principles, in a federation of clouds eachsingle cloud remnantsself -governing but
can interoperate with previous clouds in the federation t hrough standardized interfaces. A
federation provides arrangement and a lawful framework that enables authorization
andauthentication across different organizations.
4. Cryptographic Separation o f Data
The security of personal information or/and susceptib le data, within the framework of a cloud
environment, comprise s a crucialfactor for the victorious deployment of Sa aS and Pa aS
models [1]. Cryptographic division in which processes, data andcomputations are obscured in
such a way that they emerge intangible tooutsiders. Confidentiality and integrity, but also
privacy ofdata can be protected throughout encryption. Using a grouping of asymmetric and
symmetric cryptographic (often referred toas hybrid cryptography) can propose the efficiency
of symmetriccryptogra phy whereas maintaining the safety of asymmetriccryptography.
5. Certificate Based Authorization
A cloud environment is a fundamental net of a number of independentdomains. In a cloud
environment, the relationship among resources and users is more ad hoc an d dynamic,
resourceproviders and users are not in the same safety domain, and usersare usually identified
by their description s or attributes ratherthan predefined identities. Therefore, the conventional
identitybased right of entry control models are not e ffective, and right of entry decisionsneed
to be made based on characteristic . Certificates issuedby a PKI provision can be used for
enforcing right to use control inthe web environment. An example is the use of an
extendedX.509 certificate that carries ro le information about a user. Thesecertificates are
issued by a certification authority that acts as a confidence centre in the World Wide Web
environment [37]. Attribute certificates contain an attribute value twosome and the most
important towhom it appli es. They are signed by characteristic authorities thathave been
particular in a use -condition certificate. Characteristic basedaccess control, making admission
decisions based on the attributes ofrequestors, resources, and the environment, provides the
flexibilityand scalability that are fundamental to large -scale distributed systemssuch as the
cloud [30].
25
1.9 MOTIVATION
Data security and privacy are the two most important security concerns for the association s to
adopt cloud services. The organizations ar e unenthusiastic to store their content outside
theirown premises since of the exposed security threats. As organizations misplace control
overdata in the cloud environments, they consider that the pleased stored in the cloud is
moreprone to security threa ts. A fool proof security plan has to be provided to add to the
levelof trust between the cloud providers and the cloud clients . The cloud providers
mustprovide state of the art security solutions to establish the required level of trust. They
haveto prove scientifically that the data stored in the cloud is secure and only the
authenticatedand authorized personnel have the ability to right of entry the cloud data. In my
view the cloudindustry can thrive rapidly if it takes solid actions to reduce security a nd
privacy concernsof the organizations considering using cloud services.
To recognize the challenges in adopting
cloud services, the International Data Corporation(IDC) conducted a survey on 244 IT
executives and their lin e-of-business colleagues .They were asked to give their views on
usability of IT cloud services. Showstheir nine major concerns on adopting the cloud services
[20]. The survey results explain thatsecurity is their top concern in adopting cloud services.
The survey also implies that security issues in the cloud should be taken seriously by the
cloud providers.The information security paradigm is based on five goals confidentiality ,
availability data integrity, control and auditing , authenticity . The cloud service providers
should stri veto accomplish these goals. Achieving these goals in an IT system is sufficient to
mitigatethe data security concerns. The first three goals (availability, integrity,
confidentiality) arecompetitive in nature. A challenge to increase one of them might
negatively affect others [22].
The authentication mechanism plays a very important role in security
enhancement. Authentication mechanism is like an entrance door and will allow only the
trusted individuals to enterin the cloud premises. The mechanism shou ld be robust sufficient
to make sure availabilityby letting the right person in, any time and any place. At the same
time, it must make certain confidentiality. Authentication mechanism can be combined with
cryptographic techniquesto ensure confidentiality of data. Data integrity can also be ensured
if only authenticated persons can right of entry the cloud services and appropriate encryption
is done while transferring data.Having the best feasible authentication mechanism along with
a complete security pla n canmitigate most of the security concerns of cloud consumers.
26
1.9 PROBLEM STATEMENT
Now a day the data communicates within single cloud environment and different cloud
environments, uses security architecture of cryptographic using SSL and RSA and certi ficate
based authorization using LDAP for only the domain and service layer for requested services.
If the data is communicates within different cloud layers and environment, there are some
data authentication issues can occurs, because data is transferred different cloud service
providers.
Certainly cloud computing will support of information systems as the benefits out
number its weakness . Cloudcomputing offers deployment architecture, with the capability to
address vulnerabilit ies recognized in traditi onal but its dynamic characteristics are able to
deter mine the effectiveness of traditional counter method . We have identified nonspecific
designprinciples of a cloud environment which stem from the requirement to control relevant
vulnerabilities and threat s. Security in a cloud environment need s a systemicpoint of view,
from which security will be constructed ontrust, mitigating protection to a trusted third party.
A combination of LDAP can address most of the identified threats in cloud computing
dealing w ith the integrity, confidentiality, authenticity and availability of data and
communications. The solution, presents a horizontal level of service, available to all
concerned entities, that realizes a security network through alliance sinside which essential
trust is maintained.
27
CHAPTER 2
REVIEW OF PRIOR WORKS/SURVEYS
Related work in cloud computing security some methods have been proposed in literature for
handling security issues in organization simple cloud computing. A brief discussion on t hese
methodsis given below:
In 2012, Ayala etal identifies the threats and attacks and proposes solution s based in guides
from NIST and CSA [17]. In the same year, Yeluri et al reports about experiences of Intel
team with threats to security and resources control in CC. Also in 2012, Aqrabi et al through
a revision of literature and results obtained in simulations, proposes to identify the quests in
adoption of security and compliance in CC. Nowadays, the theme of security threats in Cloud
Computing is bei ng well explored.
In 2011, Hori et al reports about security aspects for internal threats on CC. In the same year,
Khorshed et al propose two contributions: research in literature with focus on lacunae and
challenges of threats, and defines an approach to prevention of attacks.
Virtualization introduces a new layer of implementation to our traditional computer networks
(Bliekertz, 2010). Considering the implementation of this new layer virtualizationintroduces
new security issues inthe network. A literatu re review focusing on security issues concerning
virtualization is thoroughly discussed below :-
One of the benefits of virtualization is its ability to easily scale up serverenvironments.
Although a benefit, it is also a great concern for security adminis trators. The scalability factor
in large network deployments can lead to inconsistency in monitoring the server environment
(Hietala, 2009). With a few mouse clicks virtual machines appear and disappear from the
virtual infrastructure very quickly. VMM (Virtual Machine Monitors) gives administrators
the flexibility for deploying new virtual machines in their server environment and they are no
longer bound to acquiring physical resources. Over a period of time this has an impact on the
security mechanisms wi thin the network, as the work load on administrators also increases
and may lead to inconsistency in security mechanisms as well (Bliekertz, 2010).
Administration of virtual infrastructure is yet another important security issue (Pfaff et al,
2009). Virtua lization emulates layer 1, layer 2 and layer3 of the OSI model, which ultimately
28
hosts other layers of this model. De facto layers 1 to 3 are managed by the network engineers
and remaining layers are managed by systems engineers. VMMs/hypervisors are manag ed by
systems engineers, as VMMs are software to emulate virtual environments.
Popovi and Hocenski, discussed security issues, requirements and challengesthat cloud
service providers (CSP) need to address in cloud engineering .
Security issues describe t he problems encountered during implementationof cloud computing
(CC).
Security standards provide some security templates, which are mandatoryfor cloud service
providers. The Open Visualization Format (OVF)is a standard for creating new business
models tha t help the companyto sell a product on premises, on demand, or in a hybrid
deploymentmodel.
Security management models are designed based on the security standards and best practices.
Maggi and Zanero, addressed countermeasures (anti -viruses, intrusion d etection systems)
developed to mitigate well -known security threats. Thefocus is mainly on anomaly -based
approaches which are mostly suited formodern protection tools and not for intrusion
detectors. The pattern -basedchanges (example: from thin client conn ected to the main frame
or powerfulworkstations connecting to thin clients) are observed, which cause
somesimultaneous changes in work environment and new problems to security of CC.
Ertaul et al., mentioned CC's features like reduced total cost of owners hip, scalability and
competitive di fferentiation. They claim CC also minimizes complexity and provides faster
and easier acquisition of services to customers.Virtualization is the technique used to deal
with quality of service (QOS). Usage of CC is conside red to be unsafe in an organization. For
dealing with this type of situation, they investigated a few major securityissues with CC and
also existing countermeasures to that security challenges.Advantages for implementing CC
from a diff erent point of view a realso discussed. They also stated that some standards are
required in CC for security.
29
Subashini and Kavitha, dealt with the security risks faced in the CC. Theyprovided empirical
evidence on security risks and issues encountered duringdeployment of ser vice delivery
models in an organization. The servicemodels are placed in cloud and the empirical
validation was made in order to justify the safety of the environment. Security was the main
issue whilethere were also complications with data protection and data privacy in a
continuous manner that a ffected the market .
Md. Tanzim Khorshed et al boast that cloud computing helps reducescost of services and
improves business outcomes. But to market this andpopularize its use by IT user community,
there are many security risks tobe solved. They also mentioned that the cloud services pose
an attractive target to cyber attacks and criminal activities as these services haveinformation
from many organizations and individuals stored in their repositories.The author per forms a
survey in cloud computing to out gapsand security concerns and mentions 5 common types of
attacks:
Denial of S ervice: In this type of attack the attacker prevents thelegitimate user from
accessing his resources,
Malicious Insider Attacks: This type of attack the attacker is an insider.This person can
easily gain access to sensitive user information namely:passwords, cryptographic keys, etc.
Cross Virtual Machine Side Channel Attacks: Is the type of attack inwhich attacker resides
in the same physical hardware as that of thetarget virtual machine and gains access to his
sensitive information ,
Phishing A ttacks: In this type of attacks the attacker sends links tothe target user through
email or instant messages. These links look asif they were sent by a trusted party but through
this links the attackercan gain access to user sensitive information .
Attacks Targeting Shared Memory: The shared memory between theuser and the attacker
is used to perform unwanted, unauthorized actions.
A study by Farhan Bashi r Sheikh et al in includes information regardingvulnerable security
threats from 11 articles. The authors tabulated their i.e., problem discussed and technique
used to solve the problem intheir paper. But in the end, they conclude expressing that cloud
computing from user perspective is secu ring from numerous security threats. This,they say, is
the only worth mentioning disadvantage in CC. They also listout the following as key
concerns in their point of view:
30
Users Authentication: User authentication proce ss must be improvisedto ensure that
malicious users do not get access to pow erful computing systems in CC .
Leakage of Data or Data L oss: Data can be at risk if an unauthorizedperson gains access to
shared pool o f resources and deletes or modifi esdata. This risk can increase further if there
exists no backup for that data .
Clients Trust: There must be strong authentication practices implementedto ensure that the
client’s data is being prote cted from unauthorized access .
Malicious Users H andling: Malicious us ers can be attackers using cloudservices with a
malicious intent or an insider who has gained the trustof company but works to gain access to
sensitive inf ormation stored in cloud .
Hijacking of Sessions: These kinds of attacks happen when a legitimateuser is prone to
phishing or insecure application interfaces that can beexploited by attackers. Through this
kind of attacks, attacker’s gainuser credentials and hija ck legitimate user’s sessions.
Wrong Usage of CC and its S ervices: Cloud computing service prov idersgive access to try
their cloud services for a limited period of timefor free. Some users utilize this trial period to
misuse the resourcesobtained through CC service provider .
Iliana Iankoulova et al in have performed a systematic review to identifyw hich security
requirements need to be further researched. To that,the authors used an existing model with 9
sub-factors namely: access control,attack/harm detection, non -repudiation, integrity, security
auditing,physi cal protection, privacy and confi dentia lity, recovery and prosecution to
categorize their fu nding from 55 papers. From this review they foundthat no repudiation ,
physical protection, recovery and prosecution are the least researched in security areas.
Integrity, access control and security audi tingare the most po pular areas. A surprising in their
review isthat privac y and confi dentiality had been observed only in 7% publications. In
addition to security requirem ents, solutions to these identifi ed challengeswere also
mentioned.
Eystein Mathisen in discusses some key security issues of cloud computing(policy, software
and hardware security) and techniques implementedto reduce the risk. The author expresses
that usage of CC will increasein near future and more companies will share their information
to cloudservers, which could attract large groups of hackers. He also says that infuture there
are possibilities for interoperability and data lock -in issues, which can be reduced by using
open standards from the time of CC adoption. The author concluded by saying that security is
31
always addressed late whileadopting CC and also mentioned that security standards are still
missing for CC. If an organization wishes to shift to CC but is reluctant due tolack of proper
measures or standards, it can refer to Ope n Cloud Manifesto which is the largest initiative
surrounding open standards. These standardsare restrictive and so most companies do no t
wish to follow the Open CloudManifesto standards.
In the study performed by Ertaul et al., he mentions that CC is con sideredunsafe to be used
by organizations and he also stated CC requires some standards . This provides a need for
further research to ensure securityfor all those who are using CC applications .
Eystein Mathisen concluded in their article that security is always addressed late while
adopting CC. He also say that no proper security standards for CC exist .
Md. Tanzim Khorshed et al and Farhan Bashir Sheikh et al both advocatethat security
challenges are still a major hindrance for adopting CC.
Md. Tanzim Khorshed et al have identif ied some threats to CC and proposeda method for
automatic detection of network attacks, but it is stillnot used in real world.
Iliana Ian koulova et al identifi ed few security areas of CC to be less researchedand also
suggested to use another way of cate gorization in further studies .
CHAPTER 3
32
PROPOSED METHODOLOGY
3.1 PROPOSED
This thesis attempts to propose a security solution to a number of challenges in a cloud
environment, which leverages consumers from the secur ity burden, by trusting a Third Party.
Trust basicallyoperates in a top -down approach, as each layer needs to trustthe layer
immediately below it, and requires a security guaranteeat an operational, technical,
procedural and legal level to enablesecure com munications with it. A trusted certificate
servesas a reliable electronic ‘‘passport’’ that establishes an entity’sidentity, credentials and
responsibilities. Trust can be viewedas a chain from the end user, to the application owner,
whoin turn trusts the infrastructure provider (either at a virtual orhardware level according to
the selected service model). A TrustedThird Party is able to provide the required trust by
guarantee that communicating parties are who they claim to be and havebeen scrutinized to
adhere to strict requirements. This processis performed through the certification process,
during which anentity requiring certification is required to conform to a setof policies and
requirements. TTP is ideal security facilitators in a distributed cloud environment where
entities belonging toseparate administrative domains, with no prior knowledge of eachother,
require establishing secure interactions.An end user is required to use his personal digital
certificate tostrongly authenticate himself with a cl oud service and validatehis access rights to
a required resource. This certificate is usedin combination with the service provider’s
certificate (Pa aS, SaaS orIsaS level) to create a secure SSL connection between them, thus
encrypting exchanged data and gu aranteeing their security through the cloud infrastructure.
The user is able toencrypt all personal data stored on the cloud to counter previouslyidentified
confidentiality risks. As cloud infrastructure’s host anumeral of services, numerous
applications c an be accumulate d on avirtual server, every one requiring detach digital
certificates for SSL communications (different ports can be used to support more thanone
SSL connections to a virtual server).The application provider can use his own certificate to
authenticatehimself in communications with the cloud but also use this certificateto encrypt
and decrypt application data. These certificates canbe enhanced to carry role information
about a user or process (extendedX.509 certificates). At the lowest level the hardware
infrastructureowner makes use of a digital certificate to communicatesecurity between
devices and virtual servers but also for authenticationpurposes if required.Key management is
a critical issue in cloud infrastructures, asthe virtualization of services obscures the
identification of thephysical key storage location, disabling traditional protectionmechanisms.
33
Keys are principally stored and protected at ahardware infrastructure level. In such an
environment deployingtamperproof devices for k ey protection is essential e.g. user
smartscards coupled with Hardware Security Module as part of the virtualdeployment.
Fig.3.1 Certificate Moving Through Different Layer in Cloud Environment
The proposed solution calls leading LDAPprotocol i nfrastruc ture, to ensure the
authentication, integrity andconfidentiality of involved data and communications. A TTPis
tasked with assuring specific security characteristics withina cloud environment, while
realizing a trust mesh betweeninvolved entities, forming f ederations of clouds.
34
Fig.3.2 U ser Authenticates Certificate Is Used ToEncrypt All Data Communications.
The solution,presents a horizontal level of service, available to all implicatedentities, that
realizes a security fit together, within which necess arytrust is maintained. This approach
makes use of a combinationof Public Key Cryptography, Single -Sign-On technology and
LDAP directories to securely identify and authenticate implicated entities. The model
presented in this paper offers the advantages of each single technology used and deals with
their deficiencies through their combined implementation.The trusted third party can be relied
upon for:
1. Generating Security Domains.
2. Low and High level confidentiality
3. Server and Client Authentication.
4. Certifica te-Based Authorization
5. Cryptographic Separation of Data.
35
Public key Infrastructure is able to effectively transform security problems into key
management issues. Ultimately, the successof the proposed explanation, as any cryptographic
system, is dependent on controlling right of entry to private keys. An additional important
factor as in every centralized system is system and network performance. Availability is of
enlarged importance in a cloud infrastructure, as of the increased performance demands on
the network. The Quality of Service provided is a key issue, also in host -to-host
communication, as additional encryption processes could discourage efficiency. The constant
encryption and decryption of datacould have a heavy toll on speed, inducing additiona l
processingconsumption. Using the cloud infrastructures flexibility within the context of
demand on CPU , could influence the system from this overhead and increase speed
encryption/decryption. Currently encryption schemes are being r esearched that allows data to
investigate exclusive of the need of it being decrypted. Future work should focuson
improving availability and quality of services provided.
We are currently in the process of
researching the developmentof extended cloud certificates that pr ovide information toend
users of the trust path followed on layers below them. These certificates will include
extended information on data ownership and responsibilities. These certificates will ensure
the authentication, integrity and confidentiality of data but also non -repudiationof
transactions at layers much below the user.
Cryptographic Separation of Data
The protection of personal information or/and sensitive data, within the framework of a cloud
environment, constitutes a crucial factor for the su ccessful deployment of S aaS and Pa aS
models. Cryptographic partition in which processes, computations and data are concealed in
such a way that they appear intangible to outsiders. Confidentiality and integrity, but also
privacy ofdata can be protected thr ough encryption. Using a combinationof asymmetric and
symmetric cryptographic (often referred toas hybrid cryptography) can offer the efficiency of
symmetric cryptography while maintaining the security of asymmetriccryptography.
Certificate -Based Authoriz ation
A cloud environment is a virtual net of quite a few independent domains. In a cloud
environment, the association between resources and users is more ad hoc and dynamic,
resourceproviders and users are not in the similar security domain, and usersare usually
identified by their characteristics or attributes somewhat than predefined identities. Therefore,
36
the traditional identity based right of entry control models are not effective, and access
decisions need to be made based on attributes. Certificates issuedby a PKI facility can be
used for enforcing admission control in the w eb environment. An example is the use of an
extended X.509 certificate that carries role information about a user. These certificates are
issued by a certification authority that acts as a trust centre in the global w eb environment.
Attributecertificates enclose an attribute –value match up and the principal to whom it applies.
They are signed by attribute authorities thathave been specified in a use -condition certificate.
Attribute based admission control, making access judgment based on the attributes of
resources , requestors and the environment, provides the flexibility and scalability that are
essential to large -scale distributed systems such as the cloud.
3.2 LDAP (Lightweight Directory Access Protocol )
LDAP, Lightweight Directory Access Protocol, is an Internet protocol that electronic post
and other programs use to seem to be u p information from a server . LDAP is used to look up
encryption certificates and other services on a network, and provide si ngle sign on where one
password for a user is shared among many services. LDAP is correct for any category of
directory -like information, where express lookups and a smaller amountfrequent updates are
the norm . Each email program has a individual address book, but how do you look up an
address for somebody who's never sent you email? How can an association keep one
centralized up todate phone book that everyone has admission to? That enquiry led software
companies such as Microsoft, I BM, Lotus, and Netscapeto support a pattern called LDAP.
LDAP -aware customer programs can ask LDAP servers tolook up entries in a wide diversity
of ways. LDAP servers index all the data in their entries and filters may be used to decide on
just the person or group you want, and return just theinformation you want. For example,
here's an LDAP explo ration translated into basic understandable computer language. Things
can do with LDAP
1. Users and Security
2.Contact Management
3. Image storage
4. Store busines s logic
5. Document Management
3.2.1 LDAP W orking : Client connects to server –> operations –> disconnect from server
37
These operations include:
1. Binding to server
2. Adding an entry
3. Comparing entries
4. Searching for an entry
5. Modifying existing en tries
6. Removing an entry
An LDAP directory can be distributed among numerous servers. All
servers can have a replicated version of the total directory that is synchronized periodically.
An LDAP server is called a Directory System Agent (DSA). An LDAP server that accept a
demand from a user takes responsibility for the demand passing it to other DSAs as needed
but ensuring a single coordinated reply for the user. LDAP is not restricted to contact
information, or yet information about people. As a proto col, LDAP does not define how
programs work on moreover the client or server side. It describe the language used for
customer programs to talk to servers (and servers to servers, too). On the client side, a
customer may be an email program, an address book or a printer browser. The server may
speak only LDAP, or have other procedure of sending and receiving data; LDAP may just be
an add -on method . If you have an email program (as opposed to web -based email), it maybe
supports LDAP. Most LDAP clients can sim ply read from a server. Search capability of
clients (as seen in email programs) diverges widely. A few can write or renovate information,
but LDAP comprise security or encryption, so updates can need complementary protection
such as an encrypted SSL conne ction to the LDAP server. LDAP also characterize
permissions set by the administrator to authorize only definite people to right of entry the
LDAP database, and optionally stay pu t definite data private. Schema is a way to describe the
design and attribute s of data in the server. For example: a schema entered in an LDAP server
may define a harmonious person entry type, which has attributes of immediate message
address . The normal attributes of name, email address, etc., would be inherited from one of
the cr iterion schemas, which are rooted inX.500. LDAP was considered at the University of
Michigan to adapt a compound enterprise directory system called X.500, to the modern
Internet. X.500 is too complex to support on desktops and over the Internet, so LDAP wa s
created to provide this service for the rest of us. LDAP servers exist at three levels. There are
enormous public servers, huge organizational servers at universities and corporations, and
smaller LDAP servers for workgroups . The idea of publicly listing your email address for the
38
world to see, of course, has been compacted by spam. Whereas LDAP didn't bring us the
worldwide email address book, it continues to be a popular standard for communicating
record -based, directory -like data among programs. Lightw eight Directory Access Protocol ,
Lightweight Directory – Directories are kind of like a database but not really. A directory is a
specialized database that is optimized for lookups. Nothing like a traditional RDBMS, LDAP
is not designed to show complex rel ationships among relations. This is where LDAP excels.
Access Protocol – LDAP is an outgrowth of the x.500 standard. LDAP is an open standard,
dissimilar many other proprietary directory solutions. Most of the directory -like solutions that
were out on the market are now very similar to LDAP. Some of these solution providers, Sun
and Microsoft specifically, have designed JNDI and ADSI APIs so that you can connect with
any kind of directory service. This is category of like JDBC orODBC is to an RDBMS.
3.3 Im plementation of OSSEC
OSSEC is an open source host -based intrusion detection system (HIDS). OSSEC is a
scalable, multi -platform, open source, Host based Intrusion Detection System (HIDS). It has
a powerful association and analysis mechanism, integrating lo g analysis; file veracity
checking, centralized policy enforcement, Windows registry monitoring, root kit detection,
active response and real -time alerting [38]. It runs on most operating systems, including Open
BSD Linux, MacOS, FreeBSD, Solaris and Windo ws. OSSEC is composed of several pieces.
It has a central manager monitoring the whole thing and accepting information from agents,
databases, syslog and from agent less devices. This diagram shows the central manager
receiving events from the system logs from remote devices and agents. When something is
detected, active responses can be executed and the admin is
notified.
Fig3.3Architecture of OSSEC
39
OSSEC does “security log analysis” . It is not a log management tool , it only stores alerts, not
every singl e log .Security Log Analysis can be called LID(S)Log -based Intrusion Detection
System . We could even call it OSSEC LIDS, since some users onlyuse the log analysis side
of OSSEC .
3.3.1 Log-Based Intrusion Detection
Log Analysis for intrusion detection is th e process or techniques used to detect attacks on a
specific environment using logs as the primary source of information. LIDS is also used to
detect computer misuse, policy violations and other forms of inappropriate activities.
The figure shows Cloud Co mputing Intrusion Detection Model .
Fig3.4 Cloud Computing Intrusion Detection model
Functions of each component are as follows:
1) Log collection module
Hosts logs are collected from virtual host, Includes: source port for the connection to the
hostcom puter, CPU utilization, connections, such as the length of time, number of
connections.The network packets are collected from network, Includes: network source port,
destinationport, the length of the connection over time, the use of network bandwidth.Coll ect
log data from Super Manager hypervisor.
2) Rule database module
Based on the high -volume history log, decision -making rules based on rough set theory are
established.
40
3) Log data storage module
The collected log data are matched with the rule base. If the behavior is abnormal, alarms
aregenerated and transmitted to security management centre for response.
4) An alysis module
The logs are collected and saved into the log table, then passed to analysis module based on
roughset to process, new decision -making rules are generated.
5) Alarming module
The collected logs are matched with the decision -making rules in the rule database. If it is
abnormal behavior then system will generate alarms.
6) Cloud computing management module
Abnormal alarms are transmitte d to cloud computing security management centre which
irresponsible for real -time response.
3.3.2 Open Source Host -based IDS (HIDS)
Main tasks:
➔ Log analysis
➔ File Integrity checking ( UNIX and Windows)
➔ Registry Integrity checking (Windows)
➔ Host -based anomaly detection (for UNIX – rootkit detection)
➔ Active response
We are using OSSEC HIDS because it not only does all the analysis we mention in here, but
also has rulesfor multiple log formats, making our correlation simpler. There are two models
for OSSEC implementation.
1. Local (when you have just one system to monitor)
Fig3. 5 Local HIDS
41
Generic log analysis flow breakdown (for ossec local)
➔ Log collecting is done by ossec -logcollector
➔ Analysis and decoding are done by ossec -analysisd
➔ Alert ing is done by ossec -maild
➔ Active responses are done by ossec -execd
2. Client /Server for Centralized Analysis.
Fig 3.6 Client/Server HIDS
Generic log analysis flow for client/server architecture
➔ Log collecting is done by ossec -logcollector
➔ Anal ysis and decoding are done by ossec -analysisd
➔ Alerting is done by ossec -maild
➔ Active responses are done by ossec -execd
Network communication in OSSEC
Fig 3. 7 Agent/Server Network Communication
42
Agent/Server network communication
➔ Compressed (zlib)
➔ Encrypted using pre -shared keys with blowfish
➔ By default uses UDP port 1514
➔ Multi -platform (Windows, Solaris, Linux, etc)
3.3.3 Focus on the Main Process of OSSEC (ossec -analysisd )
Log flow inside analyzed has three main parts:
1). Log pre-decoding
2). Log decoding
3). Log Analysis /Signatures
Fig 3. 8 Internal Log Flow
1). Log Pre-Decoding
Log pre -Decoding extracts generic information from logs
➔ Hostname, program name and time from syslog header
➔ Logs must be well formatted
2).Log Decoding
Log decoding process to identify key information from logs
➔ OSSEC comes with hundreds of decoders by default
➔ Generally we want to extract source ip, user name, id etc
➔ User -defined list (XML) at decoders.xml
➔ Tree structure inside OSSEC
43
3. Log Rules
Next step after decoding is to check the rules
➔ Internally stored in a tree structure
➔ User -defined XML
➔ Very easy to write!
➔ Allows to match based on decoded information
➔ Independent of initial log format , because of decoders
➔ OSSEC comes with more t han 400 rules by default!
There are t wo types of rules:
➔Atomic (based on a single event)
➔ Composite (based on patterns across multiple logs)
Using additional rule options
➔We will create a third rule, dependent on the second
➔Will only be called if the second one matches!
➔ Looks if the hostname was decoded as mainserver
➔ Looks if the decoded IP address is outside the network.
Log analysis is one of the most overlooked aspects of intrusion detection. These are some of
the things your analysis tool sho uld do:
1. Understand your logs. Know what is good and what is b ad.
2. Correlate the bad events looking for patterns that may indicate an attack or intrusion.
3. Correlate the good events with the bad events (eg. multiple failed logins followed by a
succes sful one).
4. Correlate the good events (eg. too many successful logins for the same user across multiple
hostsin a small period of time).
5. Look for unusual patterns that are not in your good or bad list.
OSSEC is an open source Host Based Intrusion Dete ction System thatprovides advanced
visibility into malicious behavior on systems. Some of the key benefits of OSSEC are:
1. Compliance Requirements –OSSEC helps customers meet specific compliance
requirements as outlined in PCI DSS 1.2/2.0. It lets custome rs detect and alert on
44
unauthorized file system modifications and malicious behavior based on entries in the log
files of COTS products as well as custom applications.
2. Multi -Platform Support –OSSEC lets customers implement a comprehensive host based
intrusion detection system with fine grained application/server specific policies across
multiple platforms such as Linux, Solaris, AIX, HP -UX, BSD,Windows, Mac and VMware .
3. Real -time and Configurable Alerts –OSSEC lets customers configure incidents they w ant
to be alerted on which lets them focus on raising the priority of critical incidents over the
regular noise on any system. Integration with smtp, sms and syslog allows customers to be on
top of alerts by sending these on to e -mail and handheld devices such as cell phones.
4. Integration with Current Infrastructure –OSSEC will integrate with current investments
from customers such asSIM/SEM (Security Incident Management/Security Events
Management) products for centralized reporting and correlation of eve nts.
5. Centralized Management –OSSEC provides a simplified centralized management server
to manage policies across multiple operating systems. Additionally, it also lets customers
define server specific overri des for finer grained policies.
6. Agent and Agent -less Monitoring –OSSEC offers the flexibility of agent based and agent
less monitoring of systems and networking components such as routers and firewalls. It lets
customers who have restrictions on software being installed on systems (such as FDA
approved systems or appliances) meet security and compliance needs .
3.4 Algorithm Steps of Authentication and Security Implementation
This s ection presents the algorithm of complete certificate based multi -level authentication
technique. Multi -level authent ication system reads the details given by organization, team
and user and produces the password output at different levels. After making user request for
cloud services, these steps are followed by the organization:
Step1 . First both the ends are authentic ating themselves by simple s erver and c lient
Authentication.
Step2 . After that in cloud service layer a certificate based a uthorization is generated for
authenticate and validate the requested user and data.
45
Step3 . The same digital certificate is moved to different cloud layer to validate user and
protect data by using LDAP protocol to identify threads.
Step4 . At same time the information is detected by using OSSEC system that avoids
intrusions based on specific events or set of events.
46
CHAPTER 4
EXPERIMENTAL SETUP AND RESULT
4.1 Implementation Step 1. First we have to create virtualization using VM Ware and Virtual
Box. Virtualization is the ability to run multiple operating systems on a single physical
system and share the underlying h ardware resources.
Fig 4.1 Virtualization Overview
In our implementation we are using Ubuntu 11.10 as guest OS1 and Ubuntu 12.04 as guest
OS2.
Implementation Step 2.To create cloud server, we have to follow set of procedures. Process
is shown here:
4.1.1 Install LAMP
LAMP is a group of open source software used to get web servers up and running. The
acronym LAMP is derived from first letters of Linux, Apache HTTP Server, MySQL and
PHP/Perl/Python.
Linux is a Unix -like and POSIX -compliant operating system. Ubuntu Server is one of
popular Linux distributions dedicated for server environment.
Apache is a HTTP web server, the most popular in use. It serves webpages when
they’re requested b y the web browsers. When you type an URL on your web server
47
and press Enter, the pages you see on screen is most likely served by Apache
webserver.
MySQL is a database management system now owned by Oracle Corporation. It
stores and organizes references to the information the web server needs.
PHP is a reflective programming language, which makes it possible for all these
different parts to work together.
Here First we need to login as super user
$sudo su root
Fig 4.2 Login as root user
4.1.2 i nstall Apac he – Apache is a free and open -source web server that is well -known for
running on UNIX operating systems. There are two ways of installing Apache. You can use
your console or a terminal window session.
At the command prompt, type: sudo apt -get install ap ache2
In order to keep installing Apache, you will have to have your sudo password.
To install apache, open terminal and type in these commands:
48
sudo apt -get install apache2
Fig 4.3 Installation of Apache Web Server
4.1.3Install MySQL Server – MySQL st ands for “My Structured Query Language.” MySQL is
a relational database program. This application operates as a server, in which multiple users
can access many databases. There are many software applications that use MySQL, such as
WordPress. Even Google a nd Facebook use MySQL. At the command prompt, type:
sudo apt -get install mysql -server
Fig 4.4 Installation of MySQL Server
49
During the installation, you’ll be asked to setup the MySQL root user password. This is an
administrative account in MySQL that h as increased privileges, enter the password . After the
successful installation of MySQL server, we have to start its services. At the command
prompt, type:
mysql –u root -p
Fig 4.5 Login Inside MySQL Server
4.1.4 Create Database – After the mysql server installation complete, you need to run some
command for tell MySQL to create database directory structure where it will store its
information to create a mysql database we can do this by typing the following command:
$ mysql> create database database 1
After creating a database, we can check the database and its t able by using following
command to check the database tables.
$ mysql> show tables from database 1
50
Fig 4.6 Create Database eyeOS
4.1.5 Install PHP – PHP is an open source web scripting language that is widely used to
build dynamic web pages. PHP is a scripting language that was originally used for creating
dynamic web pages. However, developers use it to create individual graphical applications
while network and system administrators use PHP for command line interface abilities. To
install PHP, open terminal and type in this command.
sudo apt -get install php5
Fig 4.7 Installation of PHP
51
4.1.6 Configuring CURL – CURL is a library that lets you make HTTP requests in PHP .
Everything you need to k now about it (and most other extensions) can be found in the PHP
manual. Run the following command in your terminal.
sudo apt -get install curl
Fig 4.8 Installation of curl
4.1.7 KAAZING Gateway – Kaazing Gateway can be configured to allow TCP (and UDP)
clients to connect to servers over the web without the need for any special Kaazing or
WebSocket libraries, thus creating a virtual private connection . Kaazing Gateway is designed
not only to proxy TCP protocols using the protocol, but it can also be run i n a reverse mode
of protocol to TCP. This design allows system and network administrators to configure two
or more gateways so applications can traverse the Web securely through firewalls and proxy
servers. Enterprises and start-up companies can now delive r sophisticated server -to-server
systems and rich client applications over a LAN or WAN web infrastructure in the same
manner as conventional distributed applications, all without the expense or complexity of a
private line.This allows many types of applic ations to be constructed: real -time supply chain,
inter-cloud and cloud -to-cloud communication, fixed -income exchanges, local office
management, external cloud applications using data remaining within the enterprise, and so
on. To start the gateway type th e following command:
./gateway.start
52
Fig 4.9 KAAZING Gateway
4.1.8 KAAZING Gateway Started – After successfully configuration the KAAZING
gateway will be started and show the following command prompt on screen with the message
started server successfully .
Fig 4.10 KAAZING Gateway Started
53
4.1.9 Active MqAdmin – The ActiveMQ Web Console is a web based administration tool for
working with ActiveMQ. Apache ActiveMQ is an open source (Apache 2.0 licensed)
message broker which fully implements the Java Messa ge Service 1.1 (JMS). It provides
“Enterprise Features” like clustering, multiple message stores, and ability to use any database
as a JMS persistence provider besides VM, cache, and journal pers istency b elow is the list of
some other Main features. Activ eMQ is often a good recommendation for SOA
infrastructure projects. The activemq commands allow you to view and manage the brokers
and messages. Use the following command to install the activemq :
./activemq -admin start
Fig 4.11 Installation of Active MqAdmin
4.1.10 Cloud Started – After successful configuration of above mentioned steps, the cloud
environment is started and shows the following eyeOS screen. After login using username
and password, we can use and access various s ervices provided by cloud environment.
54
Fig 4.12 Cloud Server Started
The following screenshot of output shows various services provided by eye os like use
directory services, system application s ervices and user’s on demand application services.
Fig 4.13 Home Page of User Workspace
55
Installation process of OSSEC –OSSEC is an Open Source Host -based Intrusion Detection
System that performs log ana lysis, file integrity checking, policy monitoring, rootkit
detection, real -time alerting and active response. It runs on most operating systems, including
Linux, MacOS, Solaris, HP -UX, AIX and Windows. It also includes agentless monitoring.
Requirements fo r installing OSSEC server:
An Ubuntu 14.04 server
Apache2, PHP, MySQL and development packages
OSSEC clients to monitor
Installing development packages
OSSEC is installed from source, therefore you need development packages. This is both for
the OSSEC cli ents as for the OSSEC server:
apt-get install build -essential make libssl -devgit
Installing Apache, MySQL and PHP – We have already in stall all the required software
while LAMP installation . Now the only requirement is to installation and configuration of
OSSEC.
Installing OSSEC Web UI – This is also quite simple. Because we've already set up Apache
and PHP, we can just download the web UI and extract to /var/www/html .
Client installation – Download and verify the OSSEC 2.8 .tar.gz file as described above.
Don't forget to install the development packages. This time, do an agent installation. Adding
a client to OSSEC is quite simple. First you add the client to the server, which gives you a
key. Then you add this key to the client, edit the config file on the client and that's it.First we
need to generate a key on the OSSEC server for this client. We do this by running
/var/ossec/bin/manage_agents
Then entering the hostname, IP and ID for the client we want to add. Do this on the OSSEC
server.
56
Fig 4.14 OSSEC Home Page
The OSSEC server record and list of the files which has been modified by agents. The
modifications of files are recorded by day and time wise in the OSSEC server database. The
files which are accessed and altered in cloud environment, first thei r integrity is checked by
the OSSEC server’s file database record. So, for record all the alteration and check the
integrity of the files, the OSSEC server is used. The output for this implementation is show
by following screenshot:
Fig 4.14 GUI Panel
57
The OSSEC server maintains the records for each activity running on the server. To see the
latest events record we can use the interface and check the records. The output for this
implementation is shown below:
Fig 4.16 List of Activity Captured
Again, to search the records, based on some criteria, we can search them using alert search
options. It filters the search results based on time, date, events and category. So that user can
get their record based on required criteria and conditions. The output fo r this implementation
is shown below :
Fig 4.17 Alert Search Option
58
4.2 RESULT
Illustrates the identified existing intrusion attacks and its correspondence solutions .
S.
No. Identified
Existing
Attacks Existing Systems Proposed System
1 Insider
Attack Cannot detect n ew or variant
of known attacks.
Knowledge base for
matching should be crafted
carefully. Enhanced form of state full packet
filtering firewalls and prevent against
Insider attacks.
2 Flooding
Attack Lot of tim e required t o
identify attacks. Detection
accuracy is based on amount
of collected behaviour or
features. Identify intrusions by monitoring
host’s file system, system calls or
network events and prevent from the
attacks.
3 User to Root
Attack It can monitor attack s only
on host where it is deployed.
High detection accuracy for previously
known attacks. Low computational
cost
4 Port Scanning
Attack Difficult to detect intrusions
from encrypted traffic. It
helps only for detecting
external intruders. Examine t he payload and open or
close the ports as per the protocol and
prevents from the attacks.
.
5 Attacks on
Virtual
Machine
(VM)
or hypervisor Need to install on each
machine such as VMs,
hypervisor or host machine.
It can monitor attacks only
on host wh ere it is deployed. It allows user to monitor and analyze
communications between VMs,
between hypervisor and VM and
within the hypervisor based virtual
network.
TABLE 4 .1 Comparisons of Existing Intrusion Attacks Performance and Proposed System
59
CHAPTER 5
CONCLUSION AND SUGGESTION
5.1 CONCLUSION
Cloud computing helps to store enormous amount of data over the internet. Hence there
may be probability of intrusion is more with the sophistication of intruder’s attacks.
Various IDS methods are used to counter malicious attacks in conventional networks.
For Cloud computing, massive network access rate, relinquishing the control of
information & applications to cloud service provider and distributed attacks
vulnerability, an competent, trustworthy and information translucent IDS is necessary. In
this acco unt, a multi -threaded cloud IDS architecture is compiled which can be
administered by a third party monitoring system for a better optimized effectiveness and
precision for the cloud user. Security plays a vital role during the transmission of data
from on e node to the other. The data integration among various clouds and data access
from one cloud to other is simple but authentication for the access of data is necessary so
that the number of attacks is reduced. The proposed model implemented here provides a
simple and efficient way of data integrity and the access of data in a cloud environment.
So by analyzing various models of IDS we have proposed IDS by using agents for cloud
environment at Infrastructure level which forms base for cloud applications. Our
proposed Agents in IDS are intelligent enough to avoid attacks and secure cloud from
various attacks. IDS can be deployed in all cloud models as the problem of security has
same impact. In our future extension to this work we will try to practically deplo y this
IDS model in cloud nodes by using open cloud resources.
60
5.2 SUGGESTION
Cloud usage profile based intruder detection and prevention system prepares the usage
profiles and check cloud customer usage against usage profiles. In tu rn, it report and
prevents the intruder using intrusion detection meter, questionnaires and vendor
reporting mechanisms. Hence it may be the solution for Insider attack, Flooding attack,
User to Root attacks, Port Scanning Attack, Attacks on Virtual Machin e and hypervisor
backdoor channel attacks. In the future work, Cloud computing has many benefits and
more customer usage demand. It gives cost benefits by providing ready infrastructure
and effective resource management. However, security is the main issue which needs to
be resolved on priority basis. Intrusion detection and prevention systems are available in
the literature. Specific to cloud security and intrusion, effective technique requires on
high priority basis. Although the intrusion detection using HMM provides efficient
results but further enhancements can be done in the field of power consumption in the
cloud computing when the data is stored in the data centres. As well as we know that
cloud computing is widely use, that’s why security is main is sue in cloud computing.
Further enhancement can be done in the field of cloud computing security.
Copyright Notice
© Licențiada.org respectă drepturile de proprietate intelectuală și așteaptă ca toți utilizatorii să facă același lucru. Dacă consideri că un conținut de pe site încalcă drepturile tale de autor, te rugăm să trimiți o notificare DMCA.
Acest articol: Cloud Computing refers to manipulating, accessing and configuring the applications online. It offers online data storage, infrastructure and… [600111] (ID: 600111)
Dacă considerați că acest conținut vă încalcă drepturile de autor, vă rugăm să depuneți o cerere pe pagina noastră Copyright Takedown.