Security Issues and Recommendations for the Lifecycle of Data in Cloud Computing Bhavin Shah
[email protected] Rutvij Jhaveri
[email protected]
Ashish Patel
[email protected] Jatin Parmar
[email protected]
Department of Computer Engineering and Information Technology Shri S’ad Vidhya Mandal Iinstitute of Technology, Bharuch-392001 (India) Gujarat Technological University
Abstract Cloud Infrastructure Cloud computing is a new technique for internet users that provides data, resources, platforms and applications as services. It is pay-by-use, self-service and on-demand model. To maintain data and applications it uses the internet and central remote servers. Service orientation, standardization and virtualization are three keys of computing through internet. Cloud Computing helps a great deal in reducing IT budget and power costs. This paper describes overview of cloud model infrastructure and some security issues as well as some possible recommendations for cloud computing. We have also discussed the data security in general model during lifecycle.
Keywords Data security; Data lifecycle; General security issues for data and recommendations; Security benefits
1. Introduction
SaaS PaaS
IaaS
Fig. 1 Cloud Computing Architecture Model
2.1. Infrastructure-as-a-service (IaaS) This service provides Infrastructure-as-a-service like virtual server instances with unique IP addresses and blocks of storage on demand by using APIs provided by the providers. E.g. Amazon web service
2.2. Platform-as-a-service (PaaS)
Users of cloud computing may be individuals, businesses or others. A cloud can be public, private or hybrid. It is served that disciplined companies achieved a remarkable reduction in their IT budget from adopting this model. Cloud computing allows consumers and businesses to use applications, soft wares and infrastructures without installation and access their personal files at any computer with internet access. This technology allows for much more efficient computing by centralizing storage, memory, processing and bandwidth.
Platform-as-a-service in the cloud is defined as a set of software and product development tools hosted on the provider's infrastructure. Developers create applications on the provider's platform over the Internet. PaaS providers may use APIs, website portals or gateway software installed on the customer's computer. Developers need to know that currently, there are no standards for interoperability or data portability in the cloud. E.g. Google AppsEngine
2. Architecture
2.3. Software-as-a-service(SaaS)
Cloud computing architecture model involves 3 layers as shown in fig. 1:
In the cloud model vendor provides soft wares or development tools as a service. These software services
might be like database services, DBMS, Email, Web-based or any other software. So now here both user’s data and applications are reside on some other place or infrastructure, which can be accessible by the consumer from anywhere by using some interactive application over the internet. E.g. Scripting and Programming languages, Programming API, Google Apps
3. Data Lifecycle One of the primary goals of information security is to protect the fundamental data that powers our systems and applications. As we transition to Cloud computing, our traditional methods of securing data are challenged by cloudbased architectures. Elasticity, multi-tenancy, new physical and logical architectures and abstracted controls require new data security strategies. With many cloud deployments we are also transferring data to external or even public environments, in ways that would have been unthinkable only a few years ago. The Data Lifecycle consists of six phases as shown in fig. 2. • Create • Store • Use • Share • Archive • Destroy
3.1.3. Availability. According to contract policies between clients and vendors, data belong only to the client at all times, preventing third parties to be involved at any point. 3.1.4. Authenticity. Refers to the process in which there is a constraint that checks whether the user or client is authentic or not. According to authentication roles should be assigned to individual clients or groups etc. 3.1.5. Authorization. By using some secure policy we can provide authentication to particular data, service, machine or application etc. There should be several methods like password plus flash card, or password plus finger print, or some combination of external hardware and password. 3.1.6. Authentication. Refers to the process in which there is a constraint that checks whether the user or client have right to access or use particular software, service, data etc. 3.1.7. Non- repudiation. There should be some disclaimer or policy for the data to be non repudiation.
3.2 Data assimilating There should be some controls to manage the consumers’ data at the time of use, storage, or transit among different clouds. Data should not be mixed up among different clouds and consumers without any predefined rules. So to introduce such a technique or strategy for data assimilation will be a challenge concerned with security and geo location.
3.3 Data location It’s a challenge for the cloud providers to assure location of “acquiescent storage” for the owner data. All the consumers’ data copies and backups must be stored at the location that is mentioned in contract or agreement. Depending on contracts, some clients might never know what country or geo location or what jurisdiction their data is located.
Fig. 2 Data Lifecycle
3. Data Security Issues Key challenges or issues regarding data lifecycle security in the cloud include the following:
3.1. Data security Refers to confidentiality, integrity, authenticity, authorization, authentication repudiation
Availability, and non-
3.1.1. Confidentiality. Confidentiality refers to security of encryption keys, data or passwords, other confidential data etc. If some data from company “abc”, stored in an encrypted form at company “xyz”, must be kept secure from employees of “xyz”. 3.1.2. Integrity. There should not be common policies, Protocols or rules for data storage, transfer and exchange. So every consumer should have freedom to use any soft ware’s or protocols for this purpose and could share, process or transfer the data between many parties.
3.4 Data backup and recovery Data backup should be available at every phase of lifecycle to the required consumers with appropriate authentication and authorization in the given cloud model. There should be appropriate recovery techniques as well to prevent data loss, update or overwritten and destruction. Cloud provider should have a backup and recovery protocol to protect user data investigative support.
3.5 Data preservation Strong data preservation strategies or techniques are required to preserve data in different states during the whole lifecycle. Whenever data are in “Destroy” phase of the data life cycle, it’s required that the data must be completely and effectively used, uncovered, erased and available.
3.6 Data aggregation and inference With data in the cloud, there are added concerns of data aggregation and inference that could result in breaching the
confidentiality of sensitive and confidential information. Hence practices must be in play to assure the data owner and data stakeholders that the data is still protected from subtle “breach” when data is commingled and/or aggregated, thus revealing protected information.
3.7 Data access restriction Security requires for the cloud consumers for the protection of data and applications as the information going being travel over the internet. Every service providers should have enough rules and rights for the privileged data access for the user. Every enterprise should know these details about these data access rules, before using the service.
3.8 Data isolation Service provider may use same storage device or hard drive to store the information of multiple companies. There should be strong and reliable mechanism to provide data isolation ensuring the data security for the consumer.
•
4.3 Use • •
•
•
•
In cloud computing the data security issue is of most importance than the other security issues. Some security benefits are as shown: •
•
4.1. Create
•
• •
Right management policy for the user data can be identifying in this phase. Proper identification of user data label, class and tag is required to classify the data.
4.2. Store •
In this phase data going to be stored into the file system, database, document. So it’s required to identify access
Data can’t be destroyed or deleted directly. It requires some preparation like content discovery technique to delete the encryption keys and actual data according to clients’ requirement or request. Some strategic policy or technique is also required to destroy the actual physical data or storage devices.
5. Security Benefits
As there are numbers of issues related to security, we here just focus on data security issues during the different phases of the lifecycle of data in the cloud computing model. For the security purpose of data, below given some recommendations from the researchers, experts and other sources. Both the consumer and provider require using these recommendations make proper secure model for the cloud computing architecture.
•
In this phase data asset (backup or storage devices) management and tracking required.
4.6 Destroy
4. Security Recommendations
•
Data isolation and security tools or object controls of DBMS can be used in this phase when data are shard among many users or consumers.
4.5 Archive
3.10 Long time availability In case if any consumer wants to change the service provider as the provider company is overtaken by some other company or due to some other reason than they should be allowed to change with some flexible contract, without no more pupations. There should not be rigid rules or standardization to change the service. So the consumers don’t have to do much more changes with data, applications and infrastructures. All these should be available for long time to the consumer regardless of the provider.
Event monitoring and handling can be done by using some event management tools or log files to track the processing on the data. The same thing can be done either by some application logic or by controls within DBMS.
4.4 Share
3.9 Data discovery It is the strategy required for electronically discovering and retrieving the requested data. So providers and the owners require some rules and regulations, legal authority, technical and administrative controls for this purpose.
controls and encryption solutions for such systems. Data or content discovery tools are used to find out access controls for such systems.
•
The entire consumer’s data should be stored together or centrally at the same place. This can be Dangerous concerned with security. But also have the benefit to manage and monitoring of data becomes easier. Storing data in the cloud avoids issues of crashed hard drives or other storage devices. By using different technologies like thin client we can protect the data and authentication as well at the cloud. If a server is down for clean up or maintenance consumer may easily create the required environment and other instance on other servers. So it saves acquire time of service and the resources can be made immediately available. Password Assurance Testing is a service that can be used to control the computational power of the cloud in attempts to break into a company's system by guessing passwords. This approach minimizes resources and time spent on the client side. Logging benefits come from the idea that the client need not worry about storage space for log files and enjoys a faster way of searching through them. Moreover, it allows for a convenient way to observe which user accessed certain resources at any given time. From security point of view provider generates
• • •
checksums and other security algorithms. So no need to do this checking every time at the client side. The cost of running the application would be optimized, as the number of users or applications increases. It becomes easier to monitor the effects of various security policies implemented in the software. There is no need of security software engineer as the software runs behind an architecture, is build for secure transactions at a all the major layers.
5. Conclusions In this paper, we have described basis security issues for data lifecycle in cloud computing. We have addressed security benefits and recommendations for data security during lifecycle. This paper is a proficient source of knowledge for people works on data security and other security issues of cloud computing.
References [1] Cloud computing: Benefits, risks and recommendations for information security. Cloud computing security risk assessment.pdf [2] Security guidance for critical areas of focus in cloud Computing v2.1 by Cloud security alliance [3] A practical guide to Cloud computing security by Carl almond. Practicalguidetocloudcomputingsecurity681482.pdf [4] http://Cloud computing - Wikipedia, the free encyclopedia.htm
