Open Security System for Cloud Architecture

Open Security System for Cloud Architecture Koushik S, Annapurna Patil Department of ISE, Department of CSE M. S. Ramaiah Institute of Technology Bangalore -560054 [email protected], [email protected]

Abstract: Cloud computing is a computing platform that delivers computing resources as a service over a network. Infrastructure, data, software, platform and many more such computing resources are provided by different vendors for different purposes. This enables the capability to hold control on the resources that the vendors are providing to its users. This paper focus on security aspects of cloud computing. Any operations over a network are vulnerable to attacks. The data present on cloud server is viable to risks such as theft or loss of data. In this context, securing data becomes top priority. Currently the cloud providers are providing their own security mechanisms. Building the security around the cloud may prove costly in terms of cost and time for a cloud provider. This paper focus on providing an open security mechanism that can be used by all cloud providers, thus achieving high security and manageability at affordable cost. Keywords: Cloud, Open Security, Public Cloud, Private Cloud, Security Architecture, Cloud Security Issues.

1 Introduction Cloud as we know is one of the most exciting platforms in the field of computing. There is a huge impact of technological change that is built around the cloud. Amazon, Google, Apple, Microsoft and many more companies are focusing on cloud technology and are offering different services on cloud. Not just corporations, even government bodies are also keen using this technology for their purposes. Government operated clouds like U. S (Apps.gov), U. K (G-Cloud), and Canada (Canadian Government Cloud) are also trying to move to this technology. Cloud applications are accessed using a web browser, the control of the software application remains with the company itself which is easier to manage. The applications provided on cloud are provided as a service. Cloud is basically modelled as XaaS i.e. X-as-aservice where ‘X’ stands for different services viz. Software, Platform, Infrastructure, Database, Network, Storage and many more [14, 12]. Many mid-size and small companies are not exploiting the cloud technology to the fullest because of the drawbacks in current security policies adopted by cloud. When one gets assurance about the secure data that is being hosted on cloud is as safe as they have a local copy then, moving to cloud would become easy. The technology behind cloud is virtualization. Virtualization has its own advantages and disadvantages, one of the major problems being security. Operation, administration and maintenance cost is more if the system is not local. Remote monitoring is used to fix the issues on remote sites, network failures results in more overhead. Different cloud providers

have different SLAs (Service Level Agreements), which makes building a secure cloud difficult [7]. Security has many paradigms. Various researchers are discussing about the cloud security from their own viewpoints. One of the major concerns of security in cloud is when the data is posted on the public cloud. Private cloud owners have their own security mechanisms and due to the data being local in the private cloud it becomes easier for organizations to secure the data [7].

2 Types of Cloud 2.1 Private Cloud Private cloud is commonly called as internal cloud or corporate cloud. Private clouds provide services to limited number of users and have a private firewall. The services are provided to people behind the firewall. This private cloud is owned by any corporate company to cater the services internal to the organization. The cloud can either be built by the organizations or bought by a third-party [12, 13].

2.2 Public Cloud A public cloud may be established where several organizations have similar requirements and seek to share infrastructure so as to realize some of the benefits of cloud computing. The costs are spread over fewer users than a public cloud (but more than a single tenant) [10]. This option offers a higher level of privacy, security, and/or policy compliance. In addition, it can be economically attractive as the resources (storage, workstations) utilized and shared in the community are already exploited. Few other cloud mechanisms that are existent are: Community cloud, Hybrid cloud and intercloud. These cloud computing platforms are useful in their own rights [12].

3 Security in Cloud Security controls in cloud computing are, for the most part, no different than security controls in any IT environment. However, because of the cloud service models employed, the operational models, and the technologies used to enable cloud services, cloud computing may present different risks to an organization than traditional IT solutions [7]. One of the attractions of cloud computing is the cost efficiencies afforded by economies of scale, reuse, and standardization [8]. To bring these efficiencies to bear, cloud providers have to provide services that are flexible enough to serve the largest customer base possible, maximizing their addressable market. Unfortunately, integrating security into these solutions is often perceived as making them more rigid [6].

4 Open Issues in Cloud Security From an architectural perspective, there is much confusion surrounding how Cloud is both similar and differs from existing models and how these similarities and differences might impact the organizational, operational and technological approaches to Cloud adoption as it

relates to traditional network and information security practices. There are those who say Cloud is a novel sea-change and technical revolution while others suggest it is a natural evolution and coalescence of technology, economy, and culture. The truth is somewhere in between [4]. There are many models available today which attempt to address Cloud from the perspective of academicians, architects, engineers, developers, managers and even consumers. We will focus on a model and methodology that is specifically tailored to the unique perspectives of IT network and security professionals [6]. The keys to understanding how Cloud architecture impacts security architecture are a common and concise lexicon coupled with a consistent taxonomy of offerings by which Cloud services and architecture can be deconstructed, mapped to a model of compensating security and operational controls, risk assessment and management frameworks and in turn, compliance standards [2, 3, 4].

5 Open Security Architecture The proposed open security architecture is based on the control catalogue in OSA (Open Security Architecture). The OSA is based on National Institute of Standards and Technology (NIST) model. This model provides one among the best catalogue for the IT industry. The catalogue is built on open standard; the usage of this standard is free and can be used without restriction. The same standard is also available in ISO17799 [6]. By taking a single control catalogue we allow you to clearly establish how you can meet the objectives of many standards, without having to repeatedly work out what controls are needed and how they can be implemented. In addition we map against threats and supply tests, so you can quickly establish whether a particular control is relevant for your situation, and can check it's working correctly.

5.1 Proposed Architecture for Open security Architecture In this paper we propose open security model for cloud. This open security model can be used by different cloud providers at the same time. Each cloud provider has its own security mechanism, but this model enables to share a security mechanism between different cloud vendors and concentrate on just the other services that can be provided on cloud. Open security is useful when a cloud app is built for multiple cloud vendors and migration of data from one cloud to another is required. For example let us assume that the data and application is shared among different clouds. Each cloud provider has its own security mechanisms in usage. So understanding different security mechanisms takes some time to access data on different cloud providers becomes difficult and time consuming. Having a common security model or open security model solves this problem. Implementing a security model where all the cloud providers can access this security mechanism and then provide to the user makes managing and securing data more easy. In the figure 6-1 we can see the architecture diagram for open security between multiple clouds.

Open Cloud Security

Entity (User)

Cloud Platform

Authentication Authorization

Entity (User)

User Validation Firewall and Anti-Virus Entity (User)

Eavesdrop Filters and Sniffers Cloud

Security

User directly in contact with security, separated from cloud.

Figure 5-1: Proposed Open Security Architecture

Figure 5-1 suggests that having an open security mechanism improves the performance of security as the service concentrates only on security part of the cloud service. When this security mechanism can be made as a service like Security-as-a-service then the user will first login to security mechanism and authenticate. Once the authentication process is complete the security mechanism allows the user to login to access the data and work on it.

5.2 Advantages of Open Security Public cloud is very vulnerable to threats and eavesdropping. Advantage of having this model is that the user login and authentication is controlled by a common registrar. The user is registered with the security registrar instead of the cloud vendor itself. This registrar will be responsible for authenticating and authorizing the user before accessing the cloud services. The open security registrar consists of a firewall and anti-virus that takes care of external threats and other types of data misappropriation. Instead of directly allowing access to the data and application on the cloud the open security acts as a filter that resides outside cloud that takes care of security policies, this mechanism separates users and data that makes data more secure and hidden [6]. This also provides more advantages of having control over data by organizations than posting data over cloud [7, 8].

6 Conclusion The proposed open security policy for cloud can be used by multiple cloud providers for securing their private as well as public cloud. Choice of encryption algorithm and policies should depend on the providers using the security. This enables the interoperability between clouds which make cloud computing more flexible and reliable. The availability of data and applications can be made easier using this security.

Reference [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]

Bass, Clements, and Kazman. Software Architecture in Practice 2nd Ed., Addison Wesley 2003. Garlan and Perry, guest editorial to the IEEE Transactions on Software Engineering, April 1995. Dewayne E. Perry and Alexander L. Wolf. "Foundations for the Study of Software Architecture”. ACM SIGSOFT Software Engineering Notes, 17:4, October 1992. Cloud Security (2009), Rational Survivability homepage on Cloud Security Architectural Framework: http://www.rationalsurvivability.com/blog/?p=1150 Aurona Gerber, Alta van der Merwe, and Andries Barnard, A Functional Semantic Web Architecture, 2009. Open Security Architecture (2011) homepage on open security architecture framework: http://www.opensecurityarchitecture.org/cms/index.php Almorsy, M.; Grundy, J.; Ibrahim, A.S, Collaboration-Based Cloud Computing Security Management Framework, 2011. Andreas Moshovos, Advanced Computer Architecture, Fall 2005. Richard N. Taylor, Software Architectures, 2008. Web Services Architecture, W3C Working Group Documentation 2010. Jason Wood, Ken Brodlie, Jungwook Seo, David Duke, Jeremy Walton, A Web Services Architecture for Visualization, 2008. Dana Petcu, Ciprian Craciun, Marian Neagul, Silviu, Panica, Architecturing A Sky, Computing Platform, 2011. Pierre Riteau, Large Scale Sky Computing Applications with Nimbus. Cloud Computing, Andy Bechtolsheim, 2008. Security Guidance for Critical Areas of Focus in Cloud Computing V2.1, Cloud Security Alliance December 2009.