SECURITY ISSUES IN CLOUD COMPUTING FOR MSMES

Document Sample
SECURITY ISSUES IN CLOUD COMPUTING FOR MSMES Powered By Docstoc
					         INTERNATIONAL Research in Management (IJARM), ISSN 0976 – 6324
International Journal of AdvancedJOURNAL OF ADVANCED RESEARCH (Print),
                             IN MANAGEMENT (IJARM)
ISSN 0976 – 6332 (Online), Volume 3, Issue 2, July-December (2012)

ISSN 0976 - 6324 (Print)
ISSN 0976 - 6332 (Online)
Volume 3, Issue 2, July-December (2012), pp. 21-28
                                                                            IJARM
© IAEME: www.iaeme.com/ijarm.html                                         ©IAEME
Journal Impact Factor (2012): 2.8021 (Calculated by GISI)
www.jifactor.com




         SECURITY ISSUES IN CLOUD COMPUTING FOR MSMES

        Mr. Hemantkumar Wani                                        Dr. N. Mahesh
  Department of Management studies                        Department of Management studies
 Shri Jagdiprasad Jhabarmal Tibrewala                    Shri Jagdiprasad Jhabarmal Tibrewala
               University                                              University
            Rajasthan, India                                        Rajasthan, India
      sayhemant@rediffmail.com                              nadiminty.mahesh@gmail.com



ABSTRACT

This research paper focuses on the security issues of Cloud computing in the sector of micro,
small & medium enterprises (MSMEs). The more MSMEs competition intensifying and earlier
adaption of latest internet based application and services have led to greater opportunities that are
worthwhile to be seized. The opening up the world IT based markets has posed many challenges
with the flooding of IT enabled services and applications. It makes an aim come true for the
users to get all the resources instantly from various locations that are not known. But there are lot
of hurdles in accomplishing this idea in the form of security parameters and backup issues.

Keywords-MSME(Micro,Small& Medium Enterprises), SLA,SSL technology, firewall,Middle
server.
        I.      INTRODUCTION
        Indian manufacturers especially from MSME sector have started to adapt software and
technology solutions that have further revolutionized by the concept of cloud computing, which
offer cutting-edge and innovative solution to cope with these challenges.
        In recent past, the concept of cloud computing has revolutionized the world of IT. Cloud
computing enables an efficient delivery of business applications online that are accessible from
web browsers. The cloud computing can supply a new type of computing and business model for
MSMEs. The MSME sector has adapted this concept worldwide and has implemented it to
improve their overall operations. The type (SaaS, PaaS, etc) of cloud service an MSME will
likely use, the disaster recovery options consideration and the cloud computing services in term
of IT services and applications that effects on business and the economy. Security risks should be

                                                 21
International Journal of Advanced Research in Management (IJARM), ISSN 0976 – 6324 (Print),
ISSN 0976 – 6332 (Online), Volume 3, Issue 2, July-December (2012)

analyze in adopting cloud computing technologies along with the actual needs, requirements and
expectations of the MSMEs for cloud computing services.

   Cloud computing emerged from so called distributed computing and grid computing. Here the
user can access any service which he/she wants for a specific task and for a specific amount of
time [1]. Cloud computing provides us with a facility of sharing and interoperating the resources
between different users and the systems being owned by the organizations. Security is a major
hindrance in such type of systems because if the users are storing their data in a remote location
owned by an unknown person and an organization then their data is not protected. Members
communicating to each other should have a good level of trust so as to share the data and resource
with each other.
   In actual scenario, the cloud is the concept of virtualizing the local system of the user using
remote cloud operating system to get a virtual desktop with a specific or a choice of operating
systems to choose of operating systems to choose and to store the personal data and execute the
application from anywhere. The customers or the user purchase the computing power depending
on their demand and are not concerned with the underlying technologies used. The resources used
and data accessed are owned by a third party and operated by them. This third party may not be
located in the same area the user lives may be in the state or country.

        II.     CLOUD STRUCTURE AND TYPES

       Public cloud: It is basically used by lot of users in the whole world and the security
aspects act as utmost hindrance in such situations. It is basically a pay per use model in which
users pay as per their use which becomes very useful and cost effective for the companies they
are working for and for themselves.

        Private Cloud: In private cloud we get additional benefits like additional security as the
company has the server at its end. As a way to exercise greater control over security and
application availability, some enterprises are moving toward building private clouds. With the
right approach and expertise in place, this type of setup can offer the best of both worlds: the
cost-effectiveness of cloud computing and the assurance that comes with the ability to manage
data and applications more closely.

        Hybrid cloud: It provides services by combining private and public clouds that have been
integrated to optimize service. The promise of the hybrid cloud is to provide the local data
benefits of the private clouds with the economies, scalability, and on-demand access of the
public cloud. The hybrid cloud remains somewhat undefined because it specifies a midway point
between the two ends of the continuum of services provided strictly over the Internet and those
provided through the data centre or on the desktop. [2]




                                               22
International Journal of Advanced Research in Management (IJARM), ISSN 0976 – 6324 (Print),
ISSN 0976 – 6332 (Online), Volume 3, Issue 2, July-December (2012)

          III.   MODELS OF CLOUD COMPUTING

A.   Model 1:Infrastructure as a service(Iaas)

The key aspects of IT infrastructure, hardware, facilities, and administration have traditionally
been the domain of IT departments within each company. Dedicated personnel install and
configure servers, routers, firewalls, and other devices in support of their respective employers.
This equipment requires dedicated housing as well as environmental controls, emergency power,
and security systems to keep it functioning properly. Finally, every company allocates additional
space where IT personnel work to support the infrastructure that is in place. Every aspect of IT
infrastructure has evolved on its own, yet-until now - has not moved toward integration. For
example, a company purchases software it needs and then purchases a server to run it. If data
storage is necessary for files or databases, disk arrays and hard drives are added into the mix to
accommodate the needs of the company. A local network is maintained to provide employees
access to IT resources, and high speed internet connectivity for voice and data is added to the
company account as necessary. Practically speaking, each IT system has its own management
system, with some systems requiring the addition of a specialized worker to the staff.
Infrastructure as a service takes the traditional components of IT infrastructure, takes them off
site, and offers them in one unified, scalable package to companies who can manage them
through one management interface. Infrastructure as a service results in IT services that easily
conform to the changing requirements of a business. Because the infrastructure does not reside
on the premises, obsolete equipment, upgrades, and retrofits no longer play a role in the
company's decision to adopt new technology [3]. The IaaS provider takes care of that seamlessly
allowing the business to focus on its mission .Cost effectiveness augments the convenience of
IaaS. Because the IaaS provider has massive platforms segmented for each customer, the
economies of scale are enormous, providing significant cost savings through efficiency. The
need for every company to maintain its own infrastructure is eliminated through IaaS. The power
of IaaS brings the resources needed to service government and enterprise contracts to businesses
of every size. IaaS improves reliability because service providers have specialized workers that
ensure nearly constant uptime and state-of-the-art security measures. Infrastructure as a Service
is a form of hosting. It includes network access, routing services and storage. The IaaS provider
will generally provide the hardware and administrative services needed to store applications and
a platform for running applications. Scaling of bandwidth, memory and storage are generally
included, and vendors compete on the performance and pricing offered on their dynamic
services. IaaS can be purchased with either a contract or on a pay-as-you-go basis. However,
most buyers consider the key benefit of IaaS to be the flexibility of the pricing, since you should
only need to pay for the resources that your application delivery requires [4].

B.   Model 2:Software as a Service(SaaS)

Software is ubiquitous in today’s business world, where software applications can help us track
shipments across multiple countries, manage large inventories, train employees, and even help us
form good working relationships with customers. For decades, companies have run software on
their own internal infrastructures or computer networks. In recent years, traditional software
license purchases have begun to seem antiquated, as many vendors and customers have migrated
to software as a service business model. Software as a service, or 'SaaS', is a software application


                                                 23
International Journal of Advanced Research in Management (IJARM), ISSN 0976 – 6324 (Print),
ISSN 0976 – 6332 (Online), Volume 3, Issue 2, July-December (2012)

delivery model by which an enterprise vendor develops a web-based software application, and
then hosts and operates that application over the Internet for use by its customers. Customers do
not need to buy software licenses or additional infrastructure equipment, and typically only pay
monthly fees (also referred to as annuity payments) for using the software. It is important to note
that SaaS typically encapsulates enterprise as opposed to consumer-oriented web-hosted
software, which is generally known as web 2.0. According to a leading research firm, the SaaS
market reached $6.3B in 2006; still a small fraction of the over $300B licensed software
industry. However, growth in SaaS since 2000 has averaged 26% CAGR, while licensed
software growth has remained relatively flat. Demand for SaaS is being driven by real business
needs — namely its ability to drive down IT-related costs, decrease deployment times, and foster
innovation [5]. Both public and private cloud models are now in use. Available to anyone with
Internet access, public models include Software as a Service (SaaS) clouds like IBM
LotusLive™, Platform as a Service (PaaS) clouds such as IBM Computing on Demand™, and
Security and Data Protection as a Service (SDPaaS) clouds like the IBM Vulnerability
Management Service. Private clouds are owned and used by a single organization. They offer
many of the same benefits as public clouds, and they give the owner organization greater
flexibility and control. Furthermore, private clouds can provide lower latency than public clouds
during peak traffic periods. Many organizations embrace both public and private cloud
computing by integrating the two models into hybrid clouds. These hybrids are designed to meet
specific business and technology requirements, helping to optimize security and privacy with a
minimum investment in fixed IT costs.

All these services are cost effective but have a lot of issues regarding security and backup.
Depending upon the implementation and platform needed the central server can send the request
to the respective server.
    IV.          REQUIREMENTS OF SECURITY

It gives a general description of security services and related mechanisms, which can be ensured
by the Reference Model, and of the positions within the Reference Model where the services and
mechanisms may be provided. Extends the field of application of ISO 7498 [6] to cover secure
communications between open systems. Adds to the concepts and principles included in ISO
7498 but does not modify them. In the fig 1, we have showed how the requirements are fulfilled
in our proposed system.
          a. Authentication and Authorisation
User can be identified in this model as we are using the SSL security for that purpose. A
governance body is acting as an interface between the user and the cloud servers. There will be
encryption between the user and central server and between the central server and cloud of
servers. User details will be stored within the central server in the form of UserID etc and
validation will be done accordingly. Hence the requirement is fulfilled in this. Authorization is
not a big issue in private cloud because the system administrator can look into it by granting
access only to those who are authorized to access the data. Whereas in public cloud it will
become more hectic due to requests from normal users have to be taken into considerations.
Privileges over the process flow have to be considered as the control may flow from one server



                                                24
International Journal of Advanced Research in Management (IJARM), ISSN 0976 – 6324 (Print),
ISSN 0976 – 6332 (Online), Volume 3, Issue 2, July-December (2012)

to another. Respective UserID will be saved in the central servers after the registration and
authorization can be done easily as the respective rights can be stated there.
         b.    Confidentiality
Confidentiality plays a very important role as the data has to be secure and should not be reviled
anywhere. This can be achieved in this system as we have used Dual SSL technology. User’s
data, profiles etc have to be maintained and as they are virtually accessed various protocols
(security) have to be enforced. If we standardize the whole cluster of a particular sector then it
can be easily imposed. With regard to data-in-transit, the primary risk is in not using a vetted
encryption algorithm. Although this is obvious to information security professionals, it is not
common for others to understand this requirement when using a public cloud, regardless of
whether it is IaaS, PaaS or SaaS. It is also important to ensure that a protocol provides
confidentiality as well as integrity (e.g., FTP over SSL [FTPS], Hypertext Transfer Protocol
Secure [HTTPS], and Secure Copy Program [SCP])—particularly if the protocol is used for
transferring data across the Internet. Merely encrypting data and using a non-secured protocol
(e.g., “vanilla” or “straight” FTP or HTTP) can provide confidentiality, but does not ensure the
integrity of the data (e.g., with the use of symmetric streaming ciphers) [6].
           c.         Integrity
Integrity is maintained as the hashing is done in SSL technology. The major drawback in case of
this technology is the excessive redundant data due to which the bandwidth is used up and the
packet size is increased. From a privacy and confidentiality perspective, the terms of service may
be the most important feature of cloud computing for an average user who is not subject to a
legal or professional obligation. It is common for a cloud provider to offer its facilities to users
without individual contracts and subject to the provider’s published terms of service. A provider
may offer different services, each of which has distinct terms of service. A cloud provider may
also have a separate privacy policy. It is also possible for a cloud provider to conduct business
with users subject to specific contractual agreements between the provider and the user that
provides better protections for users. The contractual model is not examined further here. If the
terms of service give the cloud provider rights over a user’s information, then a user is likely
bound by those terms. A cloud provider may acquire through its terms of service a variety of
rights, including the right to copy, use, change, publish, display, distribute, and share with
affiliates or with the world the user’s information. There may be few limits to the rights that a
cloud provider may claim as a condition of offering services to users. Audits and other data
integrity measures may be important if a user’s local records differ from the records maintained
on the user’s behalf by a cloud provider.

                d.   Availability

Another issue is availability of the data when it is requested via authorized users. The most
powerful technique is prevention through avoiding threats affecting the availability of the service
or data. It is very difficult to detect threats targeting the availability. Threats targeting availability
can be either Network based attacks such as Distributed Denial of Service (DDoS) attacks or
CSP availability. For example, Amazon S3 suffered from two and a half hours outage in
February 2008 and eight hours outage in July 2008. In the next section, we will discuss the
identity and access management practices of the cloud computing by tackling some protocols


                                                   25
International Journal of Advanced Research in Management (IJARM), ISSN 0976 – 6324 (Print),
ISSN 0976 – 6332 (Online), Volume 3, Issue 2, July-December (2012)

such as Security assertion Markup Language (SAML), Open Authentication (OAuth) protocol
and a comparison between these two techniques to conclude the best solution.
            e.      Non-repudiation
Non-repudiation is the requirement which states that if a sender is sending the data to the other
end. In our proposed system this requirement is fulfilled by the middle server because it has the
routing table as well as the table of content of all the servers in the cloud with corresponding
server ID, name, location etc. Due to the routing table’s entry of server ip, receiver and sender ip
we can state that if the user has sent the request he cannot deny it and if receiver gives
acknowledgement or response he also cannot deny of giving it.

             f.      Backup and Disaster Recovery
A cloud may be used for production operations, so it is important to have a backup and disaster
recovery policy in place. The backup policy should define what data is backed up, how long
backups are kept, as well as costs associated with those services. Similarly, in the event of a
catastrophic failure of a private cloud, a failover plan should be in place. This plan may include
using multiple data centers to host a private cloud or running jobs in a more conventionally
organized cluster environment with manual management of jobs. The details of how to
implement backup and disaster recovery will vary by your needs and resources, but it is essential
for business continuity planning to have some policy in place [8].

     V.     USE OF PROPOSED MODEL
In the proposed system we have introduced an idea in which we have defined a central server
which will be having a router table which contains cloud Id, the corresponding user Id , the
actual server Id to which the user is connecting to. The source ip and the destination ip also have
been put into the table.




                         Figure 1.   Architecture Diagram of proposed model


                                                   26
International Journal of Advanced Research in Management (IJARM), ISSN 0976 – 6324 (Print),
ISSN 0976 – 6332 (Online), Volume 3, Issue 2, July-December (2012)

       TABLE I.       ROUTING TABLE


     UID            SID           Source IP                  Destn IP

    12017          2747         191.268.67.67             101.123.22.25

    86770          2967         111.125.25.23             102.124.12.35
     Time         Cloud ID   Packet      Server             Lease Time
                              Size       Name
   500mins          222      437kb       ABC                  30mins


   800mins          266      128kb       XYZ                  18mins



It also contains the actual amount of data flow that is the packets per second transfer rate. On the
user end there will be personal firewall and the connectivity between the user and the central
server will be encrypted using SSL encryption standards that are regularly used now-a-days.
Again at the Central server’s end there will be an application level firewall which will check
whether the packets are malicious or not. Application-level firewalls (sometimes called proxies)
have been looking more deeply into the application data going through their filters. Fig.2 shows
the architectural diagram of the proposed system. By considering the context of client requests
and application responses, these firewalls attempt to enforce correct application behavior, block
malicious activity and help organizations ensure the safety of sensitive information and systems.
They can log user activity too. Application-level filtering may include protection against spam
and viruses as well, and be able to block undesirable Web sites based on content rather than just
their IP address. [6] Further what we have suggested is to make a separate cluster of clouds for
banking sector, educational sector, government bodies (will not contain confidential data). The
user has a personal firewall at his end. The central server say for banks as an example consists of
a table which consists of the user ID, server id, its name and all the related information through
which a governance body can back track the server and the user. When a user tries to connect to
a particular server from the cloud then his/her user id sever id source ip and destination ip are
saved. The total time of synchronization, packet size being transferred server name and the total
lease time in case of a secure connection is saved in the table incase if the user is not able to
connect to a server i.e., if the ping shows connection time out we can easily track the server from
the central servers routing table. Even the user credentials and the session are secured by SSL
technology. Further we can achieve more security by clubbing different security algorithms with
SSL [9].
There is a secured connectivity between the user and the central server and between cloud’s
servers. Due to double encryption all the security requirements are fulfilled in this model.
Tracking the server is also simple because their will be a table which will help us know the cloud
id server name, server id and the corresponding organizations name whose server it is. So if the
server is not getting connected then we can track it. We also have to standardize all the servers in
the cloud for a particular sector like banking sector, the centralized banks and co-operative banks

                                                  27
International Journal of Advanced Research in Management (IJARM), ISSN 0976 – 6324 (Print),
ISSN 0976 – 6332 (Online), Volume 3, Issue 2, July-December (2012)

etc have to come together and use standardized protocols so as to achieve this proposal. Even by
standardizing in education sector we can achieve a common place to gain knowledge and we can
use the services as according. We have also included the routing table below which depicts the
actual scenario.
  I.  CONCLUSION
The model we have proposed is having its own advantages in case of security and backup. Due
to a middle server technology in between the user and the cloud server we can easily track the
user as well as the server in the cloud. We can also nexus both public cloud and private cloud
together in one with hybrid clouds. Due to SSL security the security parameters are also taken
into consideration. This model can help cloud computing and make it reach new ends.

REFERENCES

[1]    Peter      Mell     and      Tim      Grance,”The        NIST      Definition    of      Cloud
       Computing”http://csrc.nist.gov/groups/SNS/cloud-computing/
[2]    Architectural Requirements Of The Hybrid Cloud Information Management Online,
       February 10, 2010 Brian J. Dooley
[3]    http://cloudstoragestrategy.com/2010/01/cloud-storage-for-the-enterprise---part-2-the-hybrid-
       cloud.html By Steve Lesem on January 25, 2010
[4]    R. Nicole, “Title of paper with only first word capitalized,” J. Name Stand. Abbrev., in press.
[5]    http://www.wikinvest.com/concept/Software_as_a_Service
[6]    Tim Mather, Subra Kumaraswamy, and Shahed Latif”Cloud Privacy and security” pp. 529–
       551, September 2009: First Edition
[7]    "IBM Point of View: Security and Cloud Computing"Cloud computing White paper
       November 2009.
[8]    Zhidong Shen,2010 2nd International Conference on Signal Processing Systems (ICSPS).
[9]    Palivela Hemant, Hemant Wani “Development of Servers In Cloud Computin To Solve
       Issues Related To Security And Backup” (CCIS-IEEE Conference.Beijing ,China).




                                                   28

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:8
posted:11/21/2012
language:
pages:8