economic, service quality, interoperability, security and privacy issues still . cloud adoption as it relates to traditional network and information security practices. Regarding security and privacy, a finding was reported by IDC based on a study CIOs on cloud computing, in which 75% of respondents listed security as. You may regard cloud computing as an ideal way for your company to control IT costs, but do you know how private and secure this service really is? Not many.
|Language:||English, Spanish, Arabic|
|ePub File Size:||29.42 MB|
|PDF File Size:||13.78 MB|
|Distribution:||Free* [*Regsitration Required]|
Cloud Security and Privacy provides a guide to assist those who are Cloud Security and Privacy is a book for everyone who is interested in. 年1月9日 PDF | On Jan 1, , Tim Mather and others published Cloud Security and Privacy: An Enterprise Perspective on Risks andCompliance. PDF | Cloud computing allows organizations to deliver better and In this paper we have developed a cloud security and privacy taxonomy.
The authors also identified other security focused on the measures of the security that are used to issues like: As an emerging information technology area cloud computing should be approached carefully. If an attacker gains access to client credentials, they can eavesdrop on all activities and transactions, manipulate data, return falsified information, and redirect clients to illegitimate sites. It is critical for the backup application to encrypt confidential data before sending it offsite to the cloud, protecting both data-in-transit over a WAN to a cloud storage vault and data-at-rest at the cloud storage site. Even when the data is held by Ref. When consumers migrate critical company data to the cloud they are not giving the data tenure to the providers.
Lock —In, which is virtual machine improvement, and cryptography have understanding service, data, application portability by been used . The authors also identified other security focused on the measures of the security that are used to issues like: The implementation. These proposed measures were the following are five key security issues with their suggested following: Access control: Policy integration: Service management: Trust management: Some level of trust using identity as a service.
Also, compliance must exist interchangeably between cloud providers and programmatic approach to compliance and monitoring users. By levels, the following are a short list of these   : Processing sensitive data cloud security, work will expand to external providers outside the enterprise faces the risk of logical, physical and a lot of security information requirements need to be and personnel control. Even when the data is held by Ref.
They o Recovery: When the cloud server is down, what will also produced a new paradigm of cloud computing happen to the client data? Can it be restored easily? By party. The availability of the data after faults which can benefit the clients and the providers. The provider's faults or go-broke taking a place in the threats can be classified into 4 categories: A- threats clients thinking.
B- Threats o Data segregation: Data from customers share the same that concern the location. D- Other threats. When moving to cloud computing, Table 2. Such issue decreases data control by its owner. Issues discussed include the Is this acceptable by the client?
Investigating service of the cloud segregation, disaster recovery and regulatory compliance. Finding an appropriate security management when the cloud has been provided by different vendors may protect C.
Solutions to Security Issues the cloud from the major security issues. Another solution is by using better enterprise important thing when we talk about cloud computing; and infrastructure; it provides configuration and installation with the growth of cloud computing, the concerns about of the components, such as firewalls, routers, operating privacy is also becoming more important  . But systems and proxy servers. Forced threat name Counter measure name One of the biggest challenges for business adoption of Nefarious Use, 1 Confronting Monitor public blacklists, initial cloud computing is the lack of privacy and data security.
As discussed earlier, data security risks are potent Abuse. Malicious Access controls and authentication because of open environment of CC. Such issue raises 2 Application more challenges related to privacy where it increases the with encrypted transmission. Specify resource requirements, risks of information confidentiality because of the density 3 Malicious Insiders. Also, the risk of losing management. Using API access, protecting and related to the ambiguous role of cloud service provider Data Leakage and the need for more effective data protection .
Another major privacy challenge in cloud computing is Using the user and service account the nature of information source; where data and 6 Traffic Hijacking. This requires that Source: Also, information should be accessible only to authorized users Using data encryption also is another solution since no and not for any user of the cloud, and protected from need for further security from the enterprise, and all of altering at any time . Privacy of users should be the security loads are placed on the cloud provider.
The maintained when data is collected, stored or transmitted. Where the data is at each time?
Where of availability, integrity and confidentiality . Where is it being shared? The process of data collection from multiple sources as Finally, the work of Ref. Their work also proposed that face cloud computing because it reveals sensitive possible solutions for them.
The following are a short list information about consumers,. Such movement of of these common threats in the CC environment: Based on that, customers must be able to of privileges, man-in-the-middle, replay attack, identity acknowledge the access policies to their data and utilities spoofing, differential analysis threats, and viruses and called access control mechanisms. After all these issues, we still need to have a proper One of the most important goals we want to achieve in policy that defines the relations between the major three cloud computing security is protecting data privacy.
But entities in the cloud: So information will be issues need to be addressed like: Insufficient user control exposed to the risk of unauthorized access. In other word, over his data, information disclosure in movement across we face a big challenge when we talk about sharing a the cloud, unauthorized secondary storage of sensitive cloud computing resources with protecting customer data, uncontrolled data proliferation, and dynamic privacy.
The important step to solve this challenge is data provision legal challenges . Privacy Challenges Solutions Another difficult issue about cloud computing is the Many methods were proposed to preserve privacy movement of data, where data may transfer between anytime and anywhere.
In this review we will describe countries and face local regulations.
Information some of these methods and approaches called Privacy anonymity is the solution in this case by ensuring Preserving Methods. The privacy of must guarantee both preserving the privacy of data as users their identity and data in the cloud is a very well as assuring data correctness . The anonymity algorithm depending on TPA to carry out auditing. Here, Three works in a very logical manner, firstly, processes the data algorithms: KeyGen, RingSign and RingVerify are and anonymizes all or some information before shooting constructed for achieving the privacy-preserving auditing it in the cloud environment.
Often not always, the cloud . Privacy Laws and Regulations has and incorporates the details with the anonymous data to mine the needed knowledge. When studying the Realizing the difficulties facing cloud computing, we traditional approach for privacy preserving i.
But Anonymity-based method is responsibility , to sustain an acceptable privacy levels easier, the attributes that has to be made anonymous and encourage users to use cloud computing. Also, varies and it depends on the cloud service provider  researchers are worried that could computing concept will .
Users can sectors . There are two main PEP are used for making authorization decisions and options that can be used: Master Policy and self-regulation or by regulating it by the government.
Decision Points are launched, which figure out and solve Within the privacy context there are differences between the conflicts among various decisions of different PDPs.
Other users unauthorized access of their data. As the cloud provider is proclaimed that self-regulation is difficult as no available trusted, encryption of outsourced data is not done . When we talk about significant, and logical policies to implement. On the other hand, . After the request arrives to the database, encryption Other directions in research concluded that making the and assigning secured identities for each request is done.
The authors complete the process of preserving privacy. This suggested a complaints department to handle this issue, approach prevents the risk of both internal and external where users submit their complaints a service provider, attacks to outsourced data however this approach faces a then complaints be forwarded anonymously to public big challenge in providing machine readable access rights authorities, and finally, run its operations in a public . Public departments need not need to find any Oruta approach: The previous approaches proposed concerns related to cloud computing.
Also, we by Ref. This approach takes requirements, applications and associated challenges and into account three major entities: In this paper we described some models and auditing TPA and the users whom are statically grouped solutions to create a simplified view of cloud computing into two types: A Study on challenge in this field.
Some solutions depended on the Cloud Security Issues and challenges. Cloud Computing: International management. Research is Computing Security Issues and Challenges. The real Would the synergies from utilizing the  Jamil, D. Security issues in cloud lower cost of cloud computing economical gains computing and countermeasures. Also, in this work, privacy concerns were identified as  Kumar, S. Cloud Computing — an associated concern with security flaws.
Privacy issues Research Issues, Challenges, Architecture, Platforms and were discussed and some solutions also were proposed. A Survey. International Journal of Computational This research work focused on providing solutions to Intelligence and Information Security, Vol. An Analysis of literature in this area. The cloud computing concept is a Security Challenges in Cloud Computing.
Businesses are keen on understanding this Applications, Vol. A survey on security as challenges in cloud computing. International Journal of Advanced and practice society. Cloud risk of obsolescence of technology. Future work in this area should focus of two major International Journal of Soft Computing and Engineering tracks: The second track is the business adoption  Ashktorab, V.
Security of such environment and how top management takes the Threats and Countermeasures in Cloud decision to follow such path or not. The Innovation Computing.
Diffusion Theory IDT is a suitable tool that contributes 1 2 , pp. International be explored empirically through a field research that Journal of Emerging Technology and Advanced investigates the perceptions of organizations after Engineering, Vol.
Security Framework for experience. Cloud Computing Environment: A Review. Secure  Patidar, K. A Shrivastava, M. Integrating the Trusted survey. Privacy in the clouds: A report Security threats and Counter http: Security and Privacy in Cloud Sinjilawi is a computer McSpedden-Brown, N. Here, the third party could be a legal authority or even an internal employee. The customer should always be informed before the vendor allows third parties to access the stored data [Def 3]. Non cloud services also have security concerns but cloud has additional risk of external party involvement and exposure of critical and confidential data outside organizations control.
Modifying security measures or introducing pristine best practices relevant to one particular organization is also unattainable. Cloud provider stores the data in providers side and maintenance is exclusively done by the providers hence clients have no means to check on the providers security practices, providers employees, their skills specializations etc.
Incidents may also be caused unintentionally where employees mistakenly send across the sensitive data to wrong recipient.
Applications which people used to access within organizations intranet are hence exposed to networking threats and internet vulnerabilities which includes distributed denial of service attacks, phishing, malwares and Trojan horses. If an attacker gains access to client credentials, they can eavesdrop on all activities and transactions, manipulate data, return falsified information, and redirect clients to illegitimate sites. Your account or service instances may become a new base for the attacker.
From here, they may leverage the power of your reputation to launch subsequent attacks. Providers should be able to tell the users what will happen in case of any natural disaster, how much of data they will be able to recover and the stipulated www. The difficulty in retrieving data if there is a change in provider or a need to roll to different platform adds to the apprehension to embrace cloud computing.
We have discussed about the different security vulnerabilities of cloud computing and the question arises about the measures that has to be taken to secure data over the cloud. Proper implementation of security measures is mandatory in cloud computing.
The fact that application is launched over the internet makes it susceptible for security risks. Cloud providers should think beyond the customary security practices like restricted user access, password protection etc. When an employee no longer has a business need to access datacenter his privileges to access datacenter should be immediately revoked. A firewall should be present in all external interfaces.
A list of necessary port and services should be maintained. Assessment of firewall policies and rule sets and reconfiguration of router should be done in regular intervals. Build and deploy a firewall that restricts access from systems that have direct external connection and those which contain confidential data or configuration data.
Data encryption is one common approach the providers follow to safe guard their clients data but the question is whether the data is getting stored in encrypted format or not. To store crucial data organizations can think of private or hybrid cloud where the data will be in secure corporate firewall.
Data refinement is valid in case of backed up data also. The cloud customers will never be able to make out the exact storage location of their records and there comes the importance of data back up and recovery. Backup software should include public cloud APIs, enabling simple backup and recovery across major cloud storage vendors, such as Amazon S3, Nirvanix Storage Delivery Network, Rackspace and others, and giving consumers flexibility in choosing a cloud storage vendor to host their data vault.
If provider agrees to backup crucial data then the question arises on how to determine the priority of data. The easiest and least complicated way is to protect the entire workstation or the server. It is critical for the backup application to encrypt confidential data before sending it offsite to the cloud, protecting both data-in-transit over a WAN to a cloud storage vault and data-at-rest at the cloud storage site. Consumers need to verify that the cloud backup software they choose is certified and compliant with the Federal Information Processing Standards FIPS requirements issued by the National Institute of Standards and Technology.
FIPS certification is required for government agencies as well as for regulated financial, healthcare and other industries for compliance with data retention and security regulations such as HIPAA, Sarbanes-Oxley, Gramm-Leach-Bliley and other legal requirements. Identity and Access management eliminates the need for www. Identity federation, popularized with the introduction of service oriented architectures, is one solution that can be accomplished in a number of ways, such as with the Security Assertion Markup Language SAML standard or the OpenID standard.
SAML provides a means to exchange information, such as assertions related to a subject or authentication information, between cooperating domains. SOAP messages are digitally signed. For example, once a user has established a public key certificate for a public cloud, the private key can be used to sign SOAP requests.
SOAP message security validation is complicated and must be carried out carefully to prevent attacks. A new element i. The original body can still be referenced and its signature verified, but the operation in the replacement body is executed instead. SAML alone is not sufficient to provide cloud-based identity and access management services. The capability to adapt cloud subscriber privileges and maintain control over access to resources is also needed.
As part of identity management, standards like the eXtensible Access Control Markup Language XACML can be used by a cloud provider to control access to cloud resources, instead of using a proprietary interface. XACML is capable of controlling the proprietary service interfaces of most providers, and some cloud providers already have it in place.
Messages transmitted between XACML entities are susceptible to attack by malicious third parties, making it important to have safeguards in place to protect decision requests and authorization decisions from possible attacks, including unauthorized disclosure, replay, deletion and modification [Def 9]. Keep a log of Users who access data, time of event and event description. Providers should verify the authenticity of their clients. Frequent data backup policy should be in place Penetration testing at regular intervals to ensure vulnerabilities is not in the cloud.
Based on the above discussed proposals i have come up with a framework that will help the cloud consumers and providers to safe guard the data to some extend. Cloud Providers have number of clients and they may offer any of the services namely Iaas, Paas, Saas.
In this framework the providers check for user authentication, make sure that the clients approaching them are authorized and genuine. Steps involved in security framework are explained below: Alternate plans should be ready to meet unexpected disasters. Providers should be equipped with data recovery plans in all emergencies.
Deleting data from servers, backup devices when the service is removed or server is removed from the cloud. System logs must be maintained with the following details users accessed the data, when, how much time was spend , and modifications made. But it can help to a great extend to ensure data security in cloud. The flexibility the cloud brings in has some disadvantages over privacy and security. If the providers and consumers follow the security measures discussed above cloud computing will be more secure.
As and when the issues around security and privacy are elucidated cloud computing will be accepted widely. Eloff, H. Business Adoption of Cloud Computing. AberdeenGroup Sept 9,