See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/216700324

Data Security Risks in Cloud Computing

Conference Paper · January 2012

CITATIONS READS

3 255

1 author:

Vidhyalakshmi Parthasarathy
Army Institute of Management and Technology
20 PUBLICATIONS 168 CITATIONS

SEE PROFILE

All content following this page was uploaded by Vidhyalakshmi Parthasarathy on 28 October 2016.

The user has requested enhancement of the downloaded file.

 International Conference on Advances in Computing and Management - 2012

Data Security Risks in Cloud Computing

1
P. Vidhyalakshmi
1
Computer Science Department, Ansal Institute of Technology
Sec-55, Gurgaon, India.
1
[email protected]

Abstract— Cloud computing is the buzzword in today’s business Internet and Communication Technologies (ICT) resource via
scenario. Significant innovations in virtualization, distributed the Internet. To provide these resources provider often fall
computing, easy access to Internet have accelerated the interest back upon other providers in the cloud, which, for example,
in cloud. Cloud computing is an economical solution for those make storage capacity available for customer data or computer
looking at business agility within limited resources. Gartner’s
capacity for data processing. Well-known examples of the
Strategic Planning Hypothesis predicts that, by 2012, about 80%
of fortune 1000 companies will use Cloud Computing Service in cloud computing services are Amazon Simple Storage
some fashion. It is mostly used for data storage and data Services, Amazon Web Services, Google App Engine,
processing needs. It is seen as advancement to distributed Microsoft Azure Services Platform or SalesForce.com.
processing. It has both positive and negative effects on the data Numerous Internet services providers also use cloud
storage. On the positive side it reduces the cost and time for the computing as a basis for search engines, blogs and social
user and on the negative side it has security issues. Some of the networks, among others. [3]
data security risks and their solutions are discussed in this paper.
II. DATA CENTER
Keywords— Data Centre, cloud computing, IaaS, PaaS, SaaS, Information security is the main concern of data centers,
SLA, data encryption algorithms, digital signature. and for this reason a data center has to offer a secure
environment, which minimizes the chances of the security
I. INTRODUCTION breach. A data center must therefore keep high standards for
Information Technology (IT) is an important tool to run assuring the integrity and functionality of its hosted computer
business successfully. Organizations rely on the Information environment. This is accomplished through redundancy of
system (IS) built with the help of IT for running the business. both fibre optic cables and power, which includes emergency
When the system fails most of the business operations comes backup power generations. [1]
to halt. Rendering reliable service is the main aim of IS. Data A data center is divided into four tiers. The first tier (Tier 1)
Centers will be of great help for this. It consists of computer is simple and inexpensive. It consists of single path for power
systems and associated components, such as tele- and cooling distribution and does not have a redundant
communications, security devices and storage systems. It also component. It needs a security lock and can tolerate up to 28.8
includes environment controls like air condition and fire hours of downtime. It is mostly used as enterprise data center
suppression. Redundancy of data storage and backup of power which serve within the organization. The second tier (Tier 2)
supply are the main features of data centers. Customers with composed of a single path for power and cooling distribution,
considerable investments in their data centers may find with redundant components. Permissible downtime is 22.0
themselves capacity problems, or may want to explore hours per year. It is appropriate for Internet based companies
minimizing future capital expenditures. An easy solution for without financial penalty for quality of service commitments.
this is Cloud Computing, which offers Pay-Per-Use-On- The third tier (Tier 3) consists of multiple active power and
Demand facility. [3] cooling distribution paths, but only one path active and also
It is a development of parallel computing, distributed has redundant components. The allowed downtime is 1.6
computing and grid computing. Hardware and software are no hours per year. It is suitable for organizations that depend
longer procured by the user, but are used as services. Cloud totally on IT for business automations. The last tier (Tier 4) is
service providers enable user to access and use the necessary robust, fault tolerant and used for critical applications. It
consists of multiple active power and cooling distribution
paths and also has redundant components. The permissible
Permission to make digital or hard copies of all or part of this downtime is 0.4 hours per year. This is used by companies
work for personal or classroom use is granted without fee which have extremely high-availability requirements for
provided that copies are not made or distributed for profit or ongoing business such as E-commerce, market transactions, or
commercial advantage and that copies bear this notice and financial settlement process. [2]
the full citation on the first page. To copy otherwise, or Dynamic technological changes, increased business
republish, to post on servers or to redistribute to lists, complexity, information explosion, and suer sophistication are
requires prior specific permission and/or a fee. ICACM the factors, which, insists the organization to find cost These
2012, January 06-08, 2012, Pune, Maharashtra, India. redundant features aim at providing reliable data storage. If
Copyright 2012, ISBN 978-81-921768-0-2 the data could not be accommodated in a single server, then

108
 International Conference on Advances in Computing and Management - 2012
effective solution to operate their data centers. Data centers Client
works fine with these redundant features on a single server.
multiple servers have to be used. If the data is spanned across User Interface Machine Interface
several servers, then the replication becomes wastage of Application
resources. Usage of data center with Cloud Computing will Components Services
provide solution for this. Platform
III. CLOUD COMPUTING Computer Network Storage
Cloud computing is a way of computing which uses Infrastructure
Internet to share all resources. This is accomplished with the
Servers
help of remote accessing. [3] The term cloud computing is
derived from the cloud symbol usually used to represent the Fig. 1 Cloud Computing Architecture
Internet and the complex infrastructure behind it in graphics.
Normally the software that has to be used by the employees It also provides the facilities required to support the
has to be loaded on their systems. With the increase in the complete lifecycle of building and delivering the applications.
employee strength, software loading overhead also increases. Some of the well-known examples are Google App Engine
This was the scenario before the cloud usage, but now the and Microsoft’s Azure Service Platform. SaaS facilitates the
software to be used will be loaded in the cloud and with the replacing of the software running on PCs. This helps to reduce
help of the application loaded on their machine, the user the cost of software purchase. Instead of buying the costly
would log into a web-based service which hosts all the software, the pay-as-per-use pattern of the cloud can be used.
programs the employee would need to do. Remote machines This is not suitable for real time and online applications
owned by another company would run everything from e-mail because of the delay on the network.
to word processing to complex data analysis programs. User
A. Cloud vendors and Consumers
can save on fixed costs. Providers who make their resources
available to as many users as possible can optimize utilization Cloud vendors are the companies that provide the required
of their systems and thus reduce their costs. Cloud computing cloud computing enabling technologies to satisfy the
offers the additional advantage that the use of the ICT particular cloud service offering like SaaS, PaaS or IaaS. The
resources can be easily adjusted to the changes in vendors can host the infrastructure of their own or can hire
requirements. In the current economic turmoil cloud other hosting providers. The consumers are the enterprise or
computing is therefore an option that is being given serious the individuals who take the service provided by the vendors.
consideration by many companies and organizations For example some companies can use the IaaS offered by
especially the medium sized organizations. Work load, Amazon to implement the application and processes used by
hardware and software demands on the local machines the enterprise. These enterprises will develop their application
decreases a lot. The network of computers that forms the on the infrastructure provided by Amazon. The vendor and the
cloud handles these. The only thing that is required is the consumer will sign a Service Level Agreement (SLA), which
cloud computing interface software, mostly like a web serves as a foundation for the expected level of service
browser. It is suitable for organizations of all sizes but it does between them. QoS (Quality of Service) is an important
not suit the ones that have mission critical or commercially attribute of SLA that deals with the throughput and response
sensitive data. This is obvious as no business would like to time of running the application. This attribute changes
lose control of critical data. [6] frequently based on the current technical development and has
Cloud computing gives the user cost benefits and flexibility. to be closely monitored. [7]
This is broken into three segments: “application”, “Platforms”
IV. DATA SECURITY ISSUES
and “Infrastructure”. The services offered by the cloud are
also divided on this basis as: Infrastructure-as-a-Service (IaaS), Cloud computing is globalised and has no borders. Storage
Platform-as-a-Service (PaaS) and Software-as-a-Service of data, the computers used for processing could be anywhere
(SaaS). Cloud computing architecture is given in Fig 1. IaaS is across the globe depending on where the resources are
the base layer of the cloud layer stack. Amazon EC2 (Elastic available. The cloud operators like Amazon offer an option to
Compute Cloud), Simple Storage Service (S3) are the famous the customer to choose the zone for their storage from the
examples of IaaS. The IaaS provider supplies the available zones. A lot of issues arise regarding the security of
infrastructure needs like servers, routers, firewall, storage, data, which are spanned across the globe. For example, if a
hardware based load-balancing and other network equipments customer uses an e-mail service based on cloud, the
based on the demand of the user. PaaS has the set of software customer’s data can be stored on any server. It is difficult to
and product development tools hosted on cloud, which guess where it is stored, who is responsible for maintaining it,
enables the application development without the cost and how it is being processed etc. To ensure data confidentiality,
complexity of buying and managing the underlying hardware integrity and availability the service providers must follow
and software. [7] data handling ethics.

109
 International Conference on Advances in Computing and Management - 2012
Data encryption techniques should be used to ensure that Shared Key
the shared storage environment is protected. They should
adopt stringent access controls to prevent unauthorized access
to data. The data should not be shared with the other
organization without the consent of the data owner. Encrypted
Plain Encrypt cipher Decrypt Plain
Techniques should be adopted to ensure the data is transmitted text process Text process text
to and from the consumer through secured cables. They have stored in
to ensure that their data transmission and their storage or Before sending data to cloud After receiving data
processing systems are completely protected from the hackers. cloud from cloud
If SaaS is used by the consumers then the vendors have to
provide virus free and up-to-date versions softwares. There
should be scheduled data backup and safe storage of the Fig. 2 Symmetric Encryption Technique
backup media. The SLA should have clauses regarding data
security, transmission procedures, confidentiality, availability, In the asymmetric method, a pair of keys called private key
etc. [4] and public key are used. Both the sender and receiver know
Instead of relying on vendors for the data security the the public key and it is used to encrypt the data. The owner of
consumers can also adopt some data security methods. the private key can only decrypt the message. Refer Fig 3.
Different types of security measures have to be used in cloud Although the public and private keys are always in pairs, it is
computing because of three service models (IaaS, PaaS, SaaS) difficult to derive at the private key from the public key which
and also because of different deployment methods like private is shared. That is why this method is considered to be more
cloud, public cloud and community cloud. The public cloud secure than the symmetric method. Examples of this method
also known as external cloud or multi-tenant cloud is the are Diffie-Hellman and RSA (named after Ron Rivest, Adi
cloud environment that is openly accessible. It provides an IT Shamir and Len Adleman, who invented this algorithm in
infrastructure in a third party physical data centers that can be 1977).
utilized to deliver services without having to be concerned
Public Key Private Key
with the underlying technical complexity. The important
characteristics are homogeneous infrastructure, common
policies, shared resources, operational expenditure cost model Before sending data
After receiving data from
and economy of scale. The private cloud also known as to the cloud Encrypted cloud
internal Cloud or on-premise cloud is the one that is owned, cipher
Plain Encrypt Text Decrypt Plain
utilized and maintained by the organization. Customer service process stored in
text process text
is the main purpose of this cloud. This type of cloud is cloud
primarily used to maintain a consistent level of control over Fig. 3 Asymmetric Encryption Technique
security, privacy and governance. The characteristics are
heterogeneous infrastructure, customized policies, dedicated This encryption process can be done either at the
resources, in-house infrastructure, and end-to-end control. The customer’s end or at the service provider’s or at the vendor’s
community cloud is shared and managed by several end. Doing at the vendor’s end may increase the computation
organizations that have similar requirements. The cost of time and usage which in turn increases the cost. Moreover
using the cloud is shared only by few users when compared to there may be no guarantee for the proper implementation of
the public cloud, but offers higher level of privacy and the encryption process. Because of these reasons, it is suitable
security. It can be managed by the company or the third to do the encryption process at the customer’s end. In all the
party.[9] encryption methods the three major components that have to
Public and community cloud users have to be safe guarded be used are: the data, the encryption engine and the key
from the data security risks. As discussed above, data management. Virtual private storage architecture should be
encryption at the customer’s end could be a solution for these implemented and the data should be encrypted using the cloud
risks. This is basically a mathematical calculations and backup service before loading the data on to the cloud and the
algorithmic schemes, which uses key transforms the plain text same should do the decryption after the data is downloaded
into cyphertext (a form that is not readable to unauthorized from the cloud. The keys remain in the organization and the
users). The receiver of the encrypted message uses the key key management is solely done by them. The encryption and
with the help of which the algorithm decrypts the message. the key should not be in the same volume of storage. They
(i.e.) transforms the cyphertext to plain text. The encryption have to be separated which results in three tier architecture.
methods are classified as symmetric and asymmetric. In the They are a volume with encrypted data, an instance with the
symmetric method, both the sender and the receiver share the encryption engine and the key management server that
key. Refer Fig 2. Some of the symmetric encryption methods provides the encryption key on–demand. The key
are AES (Advanced Encryption Standard), DES (Data management server will provide the key based on the manual
Encryption Standard and blowfish. [8] check and integrity checks in the running encryption engine.

110
 International Conference on Advances in Computing and Management - 2012
V. DIGITAL SIGNATURE WITH ENCRYPTION connection.
Encryption is suitable for data like customer id, outstanding · The encryption may increase processing time, so it has
balance, password etc. If the company’s important to be used mainly for the confidential data.
confidential document like tenders, price list and capital · New encryption method has to be adopted (i.e.)
investment details have to be stored in the cloud, then the periodic change to the encryption method has to be
digital signature along with the data encryption has to be used. done.
This is a mathematical method to authenticate the document. · A comprehensive layering approach has to be used
This gives the consumer a certificate, which guarantees that which makes it difficult to penetrate the data in the
the document was not tempered in the storage or in the cloud.
transmission. [5]
VI. CONCLUSIONS AND FUTURE SCOPE
Steps to be taken before sending the document to the cloud
are as follows: Use of encryption method is the key component of cloud
1. Use the hashing algorithm to reduce the document to data security, but the most robust encryption is pointless if the
few lines called “message digest”. Store the message keys are exposed or if the encryption end points are insecure,
digest in the local system. so key management is very important. The issues discussed
2. Encrypt the message digest with the private key to above are for the data at rest (i.e.) data in the storage. There
produce digital signature. are several security problems for the data in motion also. (i.e.)
3. Append this signature to the document and send it to data in transmission. Cloud computing is expected grow in
the cloud storage. size and is still vulnerable to attacks. Stringent data protection
Steps to be taken after taking the data from the cloud to laws should be enforced with details about scope of
ensure authenticity of the document are: processing, deletion of data, localization of data, restitution of
1. Decrypt the signature with the private key and convert data and audits. Proper implementation of data protection laws
it to message digest. and quality SLAs could help to have better security of data in
2. If the message digest match with the one that is stored the cloud. The future scope of this paper is to identify the
in the local system, then the authentication is security and quality issues of all the three deployment
successful. methods and to provide solutions.
3. Convert the message digest to the proper message. REFERENCES
Most cloud providers automatically encrypt the data in [1] Data Center. http://en.wikipedia.org/wiki/data_center
transit by acquiring SSL connection on any web browser, but [2] http://www.vi.net/vital-support/datacenter-tiers.php
whether the data is stored in an encrypted container is another [3] Cloud Computing. http://en.wikipedia.org/wiki/Cloud_computing
[4] Data security issues.
issue. The best way to utilize the cloud is to make the cloud- www.whoswholegal.com/news/features/article/18246/cloud-
based resources to sit behind the corporate firewall so that it is computing-data-protection
protected and also gives an illusion that it is inside the [5] Business benefits.www.techno-pulse.com/2011/03/businessbenefits-
organization’s data center. [9] cloudcomputingservices.html
[6] http://www.cloudcomputinglive.com/asia/platform-as-a-service.html
Data encryption and decryption is collectively called as [7] http:www.eetimes.com/design/embedded-internet-design/data-security-
cryptography. Things to remember while using cryptography in-cloud-computing—part-2-data-encryption-applications-and-limit.
in cloud implementation are: [8] European Network and Information Security Agency (ENISA), Cloud
· Algorithms should be specialized and suitable for the Computing: Benefits, Risks and Recommendations for Information
Security, Nov. 2009;
complex shared environment. www.enisa.europa.eu/act/rm/files/deleverables/cloud-computing-risk-
· The key management has to be done effectively. assessment/fullreport.
· The encrypted data has to be transmitted over secured [9] http://bizcloudnetwork.com/defining-cloud-deployment-models.

111

View publication stats