Security is one of the most often-cited objections to cloud computing; analysts and skeptical companies ask "who would trust their essential data 'out there' somewhere?" We didn't focus on security extensively in our paper, and we wanted to offer our analysis of what the major security concerns are with cloud computing, and what might be done about them. These are preliminary thoughts; we welcome comments and criticism. Security is not our primary area of interest, and we'd love to hear from people with operational experience.
The security issues involved in protecting clouds from outside threats are similar to those already facing large datacenters, except that responsibility is divided between the cloud user and the cloud operator. The cloud user is responsible for application-level security. The cloud provider is responsible for physical security, and likely for enforcing external firewall policies. Security for intermediate layers of the software stack is a shared between the user and the operator; the lower the level of abstraction exposed to the user, the more responsibility goes with it. Amazon EC2 users have more responsibility for their security than do Azure users, who in turn have more responsibilities than AppEngine customers. This user responsibility, in turn, can be outsourced to third parties who sell specialty security services. The homogeneity and standardized interfaces of platforms like EC2 makes it possible for a company to offer, say, configuration management or firewall rule analysis as value-added services. Outsourced IT is familiar in the enterprise world; there is nothing intrinsicaly infeasible about trusting third parties with essential corporate infrastructure.
While cloud computing may make external-facing security easier, it does pose the new problem of internal-facing security. Cloud providers need to guard against theft or denial of service attacks by users. Users need to be protected against one another.
The primary security mechanism in today's clouds is virtualization. This is a powerful defense, and protects against most attempts by users to attack one another or the underlying cloud infrastructure. However, not all resources are virtualized and not all virtualizion environments are bug-free. Virtualization software has been known to contain bugs that allow virtualized code to "break loose" to some extent. [1] Incorrect network virtualization may allow user code access to sensitive portions of the provider's infrastructure, or to the resources of other users. These challenges, though, are similar to those involved in mangaging large non-cloud datacenters, where different applications need to be protected from one another. Any large internet service will need to ensure that one buggy service doesn't take down the entire datacenter, or that a single security hole doesn't compromise everything else.
One last security concern is protecting the cloud user against the provider. The provider will by definition control the "bottom layer" of the software stack, which effectively circumvents most known security techniques. Absent radical changes in security technology, we expect that users will use contracts and courts, rather than clever security engineering, to guard against provider malfeasence. The one important exception is the risk of inadvertent data loss. It's hard to imagine Amazon spying on the contents of virtual machine memory; it's easy to imagine a hard disk being disposed of without being wiped, or a permissions bug making data visible improperly.
There's an obvious defense, namely user-level encryption of storage. This is already common for high-value data outside the cloud, and both tools and expertise are readily available. The catch is that key management is still challenging: users would need to be careful that the keys are never stored on permanent storage or handled improperly. Providers could make this simpler by exposing APIs for things like curtained memory or security sensive storage that should never be paged out.
[1] Indeed, even correct VM environments can allow the virtualized software to "escape" in the presence of hardware errors. See Sudhakar Govindavajhala and Andrew W. Appel, Using Memory Errors to Attack a Virtual Machine. 2003 IEEE Symposium on Security and Privacy, pp. 154-165, May 2003.
Cloud security will be the number one FUD story used to keep enterprises at the status quo by those that benefit from the status quo.
ReplyDeleteThe truth however is that the post-condition invariants required to have correct security in public and private clouds, namely Integrity, Confidentiality, and Availability, don't depend on physical proximity.
yeah exactly was about to say the same thing.
DeletePrototype Alex Mercer costume
@Anthony Tarlano: Integrity, confidentiality, and, availability certainly depend on physical proximity. Let say that VMs from two customers end up on the same physical machine in the cloud. If the hypervisor does not enforce isolation between these machines, one VM can affect the other VM by modifying its memory or its CPU state. There is nothing the affected VM can do to prevent this; it has to rely on the hypervisor.
ReplyDeleteAre you sure your cloud's hypervisor provides perfect isolation between VMs?
Mihai,
ReplyDeleteInvariants are the requirements that represent the target of engineering a correct solution, they shouldn't be confused with a particular system implementation..
Having said that lets see what we can engineer to meet the correctness invariant.
There is nothing *any* host hypervisor can do to data if the the requirements of confidentiality and integrity are preserved in a correct implementation where those two invariant holds.. nothing..
There are many ways to engineer a system to meet this requirement, as there always are, but we only need one to prove correctness, so a system where a Trusted Platform Module (TPM) is constructed, where an invariant holds that the TPM is always outside the isolation boundary of the hypervisor would provide such a correct system.
Okay there you are.. Remember to always try to solve the problem and if you need another component then your current system at hand gives you, use composition and add it.. That is engineering..
Anthony
I think that there's a difference between the physical shared environments in corporate data centres and clouds as there are many restrictions on who can get access to the resources in a corporate data centre, so the real defences in place are actually quite weak. Indeed, they are often absent, but the poor auditing of the systems does not throw this up.
ReplyDeleteIn practice, it seems hard to me to target a specific entity to breach its CIA unless the VMs can identify each other or specific storage resources.
@Anthony
I don't think that the issue is the theoretical proximity provability. Your argument makes sense. However, you've introduced a new hardware requirement, which means that the VMs cannot see the whole platform and therefore cannot be VMs as they are currently envisaged. That may be a reasonable constraint, especially for Linux based OSes.
Thanks for sharing information on cloud computing. I got a complete information about the Cloud computing and its services from the Cloud Computing and Virtual Conference 2009 which is the World's largest and virtual conference on Cloud computing. I got a good opportunity to meet and talk with the World's leading experts on Cloud computing.
ReplyDeleteI completely agree with you Dan. I was at streaming media east and spoke to a lot of customers and their comments resonated with your observation.
ReplyDeleteoperatore video
When I used xanax generic for hte first time it was very effective. But last time xanax doesn't worked for me...
ReplyDeletethx
ReplyDeletenaruto manga spoiler
naruto bahasa indonesia Kata Kata Bijak Tentang Cinta
baca manga bahasa indonesia
woamu adsmu
wew, so fa so good :) javahostindo web hosting indonesia
ReplyDeletenice post...
ReplyDeleteJust Sharing
Media Online News
Music Reviews
Song Lyrics
Pets for Us
Earlier rumors suggest that the iphone 5 will come up with amazing and improved features including a “radical new design"....The Best Android
ReplyDeleteGood post. Very impressive. Thanks for sharing.
ReplyDeletecheap android tablet
wenger backpack
swissgear backpack
cheap handbag
magic bullet
ReplyDeleteThanks for sharing information on cloud computing. I got a complete information about the Cloud computing
we welcome comments and criticism. Security is not our primary area of interest, and we'd love to hear from people with operational experience.
ReplyDeletemagic bullet
goraka
bullet express
kosmo disk
sauna esofman
nes pos pakde... \m/
ReplyDeleteAndroid Phone
Healthy Zone
Lyrics Collection
sdajskdkajd dhsgaguidwy ajsdhsds dsdhsdskl skdsdsd
ReplyDeletesippp jos
BlakBlakanNews
Blog Info
Film Terkini
Baju Muslim
Blackberry Torch 9860
Sms Lebaran
Obat Asam Urat Tradisional
Indonesia vs Iran
Jadwal Pertandingan Pra Piala Dunia 2014
Nice Post. Thanks for share.
ReplyDeleteARTATEL, Solusi Komunikasi Hemat dan Handal | TOP 1 Oli sintetik mobil-motor Indonesia | Peluang Bisnis Online Tanpa Ribet | iPaymu.com Pembayaran Online Indonesia | Jasa SEO Murah Garansi | Gosip Artis Terkini | Voucher Hotel Murah di RajaKamar.Com | Bejubel Market Place Terbaik Indonesia | Adira asuransi kendaraan terbaik Indonesia | TEAK 123 best teak garden furniture manufacturer wholesale in Indonesia | Kerajaan Hosting Masa Depan Hosting Indonesia | Weight Loss Systems | ARTATEL, Solusi Komunikasi Hemat dan Handal | ARTATEL, Solusi Komunikasi Hemat dan Handal | ARTATEL, Solusi Komunikasi Hemat dan Handal | ARTATEL, Solusi Komunikasi Hemat dan Handal | ARTATEL, Solusi Komunikasi Hemat dan Handal | ARTATEL, Solusi Komunikasi Hemat dan Handal | ARTATEL, Solusi Komunikasi Hemat dan Handal | ARTATEL, Solusi Komunikasi Hemat dan Handal | ARTATEL, Solusi Komunikasi Hemat dan Handal | ARTATEL, Solusi Komunikasi Hemat dan Handal | ARTATEL, Solusi Komunikasi Hemat dan Handal | ARTATEL, Solusi Komunikasi Hemat dan Handal | ARTATEL, Solusi Komunikasi Hemat dan Handal | ARTATEL, Solusi Komunikasi Hemat dan Handal
ARTATEL, Solusi Komunikasi Hemat dan Handal | ARTATEL, Solusi Komunikasi Hemat dan Handal | ARTATEL, Solusi Komunikasi Hemat dan Handal | ARTATEL, Solusi Komunikasi Hemat dan Handal | ARTATEL, Solusi Komunikasi Hemat dan Handal | ARTATEL, Solusi Komunikasi Hemat dan Handal
ReplyDeleteWahh z aaslalkss
ReplyDeleteHarga Nokia September 2011
Kata Mutiara Selamat Idul Fitri 1432 H
alsd skdskdjskjdsdsd
ReplyDeleteKebaya Modern
Mzjkxabxiuz zkzkzzz
ReplyDeleteKata Mutiara Cinta
kam z,,zzzaa
ReplyDeleteFoto Tewasnya Istri Saipul Jamil Tragis
This is the perfect blog for anyone who wants to know about this topic. You know so much its almost hard to argue with you (not that I really would want...HaHa). You definitely put a new spin on a subject thats been written about for years. Great stuff, just great! Centro Metro
ReplyDeletesdsa sdadasd sadammd, appsdlsldl
ReplyDeleteMengobati Keputihan Wanita
Download Film Bokep Terbaru
Blackberry Bold 9900
Tangga Lagu Terbaru September 2011
Oh My Lady
ReplyDeleteFilm Indonesia Terbaru
Niceee postttt sob,,,,okay
ReplyDeleteKata-Kata Gokil
mantabbzzzz dahhhhhh
ReplyDeleteCewek Tercantik di Indonesia
Mantaffff niceeeee pokk postt sobbb....
ReplyDeleteSepeda Polygon
ksjkdjkas sjdsajdsha sdsdhsdsh sdjksdhjshdshda asjdjsdsd
ReplyDeleteSuzuki GW250
Kata Kata Bijak
mantabbb
ReplyDeleteHarga Tiket Pesawat Garuda Indonesia
Ayu ting ting
Jadwal Liga Spanyol
Memutihkan Kulit Wajah Secara Alami
dksdkskldoqwq sjadjksjdkqpwiewe
ReplyDeleteGaun Pengantin
hermes birkin
ReplyDeleteHermes replica
hermes birkin replica
Replica Hermes
Hermes Handbags
Replica Hermes Handbags
Sippp jos,,thx uu yaaa
ReplyDeleteSea Games 2011
Khadafi Tewasb>
Kata Mutiara Islam
ReplyDeleteoisaiodmasdmaskllkad ksadk sadkklsd asdskdlad
ReplyDeletelittle titties really rocks.I loved it a lot.
Desain Kamar Tidur
Tattoo Design
Download Film Indonesia
ReplyDeleteDesain Rumah Minimalis
ReplyDeleteTangga Lagu Terbaru
Fashion Terbaru
asdm,asndashjdksbd sdhshjdhjkas sdhjshjdas
ReplyDeleteContoh Makalah
asdjksakdjkas sjkdajdjla sjkdasll sadkasjdl lsajd
ReplyDeleteKata Kata Motivasi
http://www.filmterkini.com/2011/11/download-film-indonesia-terbaru-2012.html Download Film Indonesia
ReplyDeletehttp://www.modelterbaru.info/2011/12/model-rambut-wanita-populer-2012.html
http://info-onliners.blogspot.com
http://blogger-jepara.blogspot.com/2011/12/cara-menghilangkan-bekas-jerawat-dengan.html
http://www.filmterkini.com/2011/12/download-film-drama-korea-terbaru-2012.html - Drama Korea Terbaru
This is the perfect blog for anyone who wants to know about this topic. You know so much its almost hard to argue with you (not that I really would want...HaHa). You definitely put a new spin on a subject thats been written about for years. Great stuff, just great! Agen Sbobet Sbobet Ibcbet Casino Sbobet Pasar Bola
ReplyDeletesadskladkl affasfbsdsdAnda mencari kumpulan resep kue kering yang enak? Well, pada postingan kali ini Blogger Jepara akan sedikit memberikan beberapa contoh cara membuat kue kering yang enak dan mantab untuk anda nikmati di rumah bersama keluarga. Resep Kue Kering
ReplyDeleteonline business cards
ReplyDeleteGreat article and this is good initiative and i appreciate it.
This step is running toward the progress and prosperity.
Thanks for posting this one, I learned a lot from it. Very informative and it'a great article. Keep it up!
ReplyDeletefamily vacation waikiki hotel
thnks for informatioan,,,,,,
ReplyDeletePengobatan herbal infeksi saluran kenmih
Internet security has always been a matter of concern for everybody and therefore computer savvy people try and test different ways out to make Internet environment safe and secure. With this thought in mind cloud service providers also work out ways to safeguard their clouds they have been managing for their clients from thefts like spamming and hacking.
ReplyDeleteMoreover, security threats are important to deal with because it would interrupt other organizations to choose for cloud services further.
Cloud Hosting I Drupal Hosting I Managed Cloud Computing
Very informative and it'a great article.
ReplyDeletehp android
jersey bola
game android
aplikasi android
tablet android
bakpia jogja