Tuesday, 25 November 2014

Security and Privacy in Cloud Computing - Survey

Paper here

This paper gives a survey about security and privacy in terms of cloud computing. It explores several applications that are a solution to the mentioned problems that exist in a cloud. In this summary, I will not focus much on the applications, but on the problems that exist in a cloud.
Cloud computing system, denoted as Cloud in short, has become a buzzword nowadays, and it has become a great business for several companies like Amazon, Google, and Microsoft. Cloud computing can provide infinite computing resources on demand due to its high scalability in nature, which eliminates the needs for Cloud service providers to plan far ahead on hardware provisioning. Cloud providers charge clients in terms of computing usage, and can release computing resources as they need - utility computing.

A strong barrier that have been raised against cloud computing relates to security and privacy. This is a small list of incidents that undermine cloud computing, and much more will happen:
  • Google Docs found a flaw that inadvertently shares users docs in March 2009.
  • A Salesforce.com employee fell victim to a phishing attack and leaked a customer list, which generated further targeted phishing attacks in October 2007.
  • Epic.com lodged a formal complaint to the FTC against Google for its privacy practices in March 2009. EPIC was successful in an action against Microsoft Passport.
  • Steven Warshak stops the government's repeated secret searches and seizures of his stored email using the federal Stored Communications Act (SCA) in July, 2007
Cloud computing allows providers to develop, deploy and run applications that can easily grow in capacity (scalability), work rapidly (performance), and never (or at least rarely) fail (reliability), without any concerns on the properties and the locations of the underlying infrastructures. The penalties of obtaining these properties of Cloud Computing are to store individual private data on the other side of the Internet and get service from other parties (i.e. Cloud providers, Cloud service providers), and consequently result in security and privacy issues.

The papers shows that availability, confidentiality, data integrity, control and audit are important to achieve adequate security.

Availability


The goal of availability for Cloud Computing systems (including applications and its infrastructures) is to ensure that users can access the cloud at any time, at any place. This is true for all cloud computing systems - DaaS, SaaS, PaaS, IaaS, and etc. Hardening and redundancy are two strategies to improve availability.

Cloud computing vendors provide Cloud infrastructures and platforms based on virtualization. E.g., Amazon uses Xen to provide separated memory, storage, and CPU virtualization on a large number of commodity PCs. Hence, the virtual machine is the basic component in the cloud providers. Virtual machines have the capability to provide on demand service in terms of users' individual resources requirements, and they are used to tie commodity computers to provide a scalable, and robust system.

Furthermore, cloud system vendors offer the ability to block and filter traffic based on IP by the user in the virtual machines by the client, which in turn enhances the availability of the provided infrastructure.

As for redundancy, cloud system vendors offer geographic redundancy to enable high availability on a single provider. Availability zones are distinct locations that are engineered to be insulated from failures in other availability zones and provide inexpensive, low latency network connectivity to other availability zones in the same region. Using instances in separate availability zones, one can protect applications from failure of a single location.

There to say, Cloud system has capability in providing redundancy to enhance the high availability of the system.

Confidentiality


Confidentiality is a big obstacle for the users to overcome. They want to keep data secret in the cloud system.

Cloud computing systems are public networks and are exposed to more attacks when compared to those hosted in the private data centers. Therefore, it is fundamental requirement to keep all data confidential.

There are two basic approach to guarantee confidentiality - physical isolation and cryptography. VLANs and network middleboxes are are used to achieve virtual physical isolation. Encrypted storage is another choice to enhance the confidentiality. For example, encrypting data before placing it in a cloud maybe even be more secure than unencrypted data in a local data center.

Data integrity


Data integrity in the Cloud system means to preserve information integrity and it is fundamental for DaaS, SaaS, and PaaS infrastructures. In a cloud system, we are talking about Terabytes and Petabytes of data. To try to supply the popularization of the clouds, vendors need add more hard drives. This may consequently result in increased high probability of either node failure or disk failure or data corruption or even data loss. Secondly, disk drives (or solid state disks) are getting bigger and bigger in terms of their capacity, while not getting much faster in terms of data access.

There are storage services like Zetta, GFS, and HDFS that try to take are of the integrity in different ways. Zetta provides integrity based on RAIN-6 (Redundant Array of Independent Nodes) that it is similar to RAID6.

Digital signature is also a technique used for data integrity testing. This is used in the GFS and HDFS. When a block is stored, a digital signature is attached to it. The signature is able to recover data from corruption.

Control


Control the cloud means to regulate the use of the system, including the applications, its infrastructure and the data Performing distributed computation in the Cloud Computing systems on sensitive individual data, like genomic data, raises serious security and privacy concerns. Data and computation must be protected from leaks or malicious hosts.

In cloud computing, Airavat integrates decentralized information flow control (DIFC) and differential privacy to provide rigorous privacy and security control in the computation for the individual data in the MapReduce framework. Airavat uses DIFC to ensure that the system is free from unauthorized storage access.

It prevents Mappers to leak data over unsecured network connections or leave the intermediate result data in unsecured local files. By providing several trusted initial mappers and trusted reducers, Airavat is able to carry out privacy-preserving computations in the MapReduce framework, eventually allowing users to insert their own mappers while dynamically ensuring differential privacy.

Hence, efficient and effective control over the data access in the Cloud Computing system and regulate the behaviours of the applications (services) hosted on the Cloud Computing systems will enhance the security of systems.

Audit


Audit means to watch what happened in the Cloud system. Three main attributes should be audited:
  • Events: The state changes and other factors that effected the system availability.
  • Logs: Comprehensive information about users' application and its runtime environment.
  • Monitoring: Should not be intrusive and must be limited to what the Cloud provider reasonably needs in order to run their facility.
The auditability is a law issue because it involves the law of the country where the data is. In Internet there is no frontiers, but the site where the data is, it counts for the justice.

The rest of the papers dwells in legal issues related to privacy. I am not going to focus on the legal issues, but what I can say is, such a new feature (Auditability) reinforces the cloud computing developers to provide a virtualized system over the virtual machine to watch what is happening in the system.

In conclusion, this is a general paper that shows the main challenges that the cloud world is facing, and we can see that cloud computing is not a light issue and it can involve the government when we start to talk about privacy and security.

No comments:

Post a Comment