Cloud Computing Security

Security in cloud computing is a major concern. Data in cloud should be stored in encrypted form. To restrict client from direct accessing the shared data, proxy and brokerage services should be employed.

Security Planning

Before deploying a particular resource to cloud, one should need to analyze several attributes about the resource such as:

  • Select which resources he is going to move to cloud and analyze its sensitivity to risk.

  • Consider cloud service models such as IaaS, PaaS, and SaaS. These models require consumer to be responsible for security at different levels of service.

  • Consider which cloud type such as public, private, community or hybrid.

  • Understand the cloud service provider's system that how data is transferred, where it is stored and how to move data into and out of cloud.

Mainly the risk in cloud deployment depends upon the service models and cloud types.

Understanding Security of Cloud

SECURITY BOUNDARIES

A particular service model defines the boundary between the responsibilities of service provider and consumer. Cloud Security Alliance (CSA) stack model defines the boundaries between each service model and shows how different functional units relate to each other. The following diagram shows theCSA stack model:







KEY POINTS TO CSA MODEL: 

  •  IaaS is the most basic level of service with PaaS and SaaS next two above levels of service.

  • Moving upwards each of the service inherits capabilities and security concerns of the model beneath.

  • IaaS provides the infrastructure, PaaS provides platform development environment and SaaS provides operating environment.

  • IaaS has the least level of integrated functionalities and integrated security while SaaS has the most.

  • This model describes the security boundaries at which cloud service provider's responsibility ends and the consumer's responsibilities begin.

  • Any security mechanism below the security boundary must be built into the system and above should me maintained by the consumer.

Although each service model has security mechanism but security needs also depends upon where these services are located, in private, public, hybrid or community cloud.

UNDERSTANDING DATA SECURITY

Since all the data is transferred using Internet, data security is of major concern in cloud. Here are key mechanisms for protecting data mechanisms listed below:

  • Access Control

  • Auditing

  • Authentication

  • Authorization

All of the service models should incorporate security mechanism operating in all above-mentioned areas.

ISOLATED ACCESS TO DATA

Since data stored in cloud can be accessed from anywhere, therefore to protect the data, we must have a mechanism to isolate data from direct client access.

Brokered Cloud Storage Access is one of the approaches for isolating storage in cloud. In this approach, two services are created:

  • A broker with full access to storage but no access to client.

  • A proxy with no access to storage but access to both client and broker.

WORKING OF BROKERED CLOUD STORAGE ACCESS SYSTEM

When the client issue request to access data:

  • The client data request goes to proxy's external service interface.

  • The proxy forwards the request to the broker.

  • The broker requests the data from cloud storage system.

  • The cloud storage system returns the data to the broker.

  • The broker returns the data to proxy.

  • Finally the proxy sends the data to the client

  • Encryption

Encryption helps to protect data from being compromised. It protects data that is being transferred as well as data stored in the cloud. Although encryption helps to protect data from any unauthorized access, it does not prevent from data loss.

Cloud Computing Virtualization

Virtualization

Virtualization is a technique, which allows to share single physical instance of an application or resource among multiple organizations or tenants (customers). It does so by assigning a logical nameto a physical resource and providing a pointer to that physical resource when demanded.

Virtualization Concept

Creating a virtual machine over existing operating system and hardware is referred as Hardware Virtualization. Virtual Machines provide an environment that is logically separated from the underlying hardware.

The machine on which the virtual machine is created is known as host machine and virtual machineis referred as a guest machine. This virtual machine is managed by a software or firmware, which is known as hypervisor.

HYPERVISOR

Hypervisor is a firmware or low-level program that acts as a Virtual Machine Manager. There are two types of hypervisor:

Type 1 hypervisor runs on bare system. LynxSecure, RTS Hypervisor, Oracle VM, Sun xVM Server, VirtualLogic VLX are examples of Type 1 hypervisor. The following diagram shows the Type 1 hypervisor.


 The type1 hypervisor does not have any host operating system because they are installed on a bare system. Type 2 hypervisor is a software interface that emulates the devices with which a system normally interacts. Containers, KVM, Microsoft Hyper V, VMWare Fusion, Virtual Server 2005 R2, Windows Virtual PC and VMWare workstation 6.0 are examples of Type 2 hypervisor. The following diagram shows the Type 2 hypervisor.


Types of Hardware Virtualization

Here are the three types of hardware virtualization:

1. Full Virtualization

2. Emulation Virtualization

3. Paravirtualization

FULL VIRTUALIZATION

In Full Virtualization, the underlying hardware is completely simulated. Guest software does not require any modification to run.





EMULATION VIRTUALIZATION

In Emulation, the virtual machine simulates the hardware and hence become independent of the it. In this, the guest operating system does not require modification.

PARAVIRTUALIZATION 

In Paravirtualization, the hardware is not simulated. The guest software run their own isolated domains.

VMware vSphere is highly developed infrastructure that offers a management infrastructure framework for virtualization. It virtualizes the system, storage and networking hardware.


Creating Cloud Storage System

The cloud storage system stores multiple copies of data on multiple servers and in multiple locations. If one system fails, then it only requires to change the pointer to stored object's location.

To aggregate storage assets into cloud storage systems, the cloud provider can use storage virtualization software, StorageGRID. It creates a virtualization layer that fetches storage from different storage devices into a single management system. It can also manage data from CIFS and NFS file system over the Internet. The following diagram shows how SystemGRID virtualizes the storage into storage clouds:



Virtual Storage Containers

Virtual storage containers offer high performance cloud storage systems. Logical Unit Number (LNU) of device, files and other objects are created in virtual storage containers. Following diagram shows a virtual storage container, defining a cloud storage domain:



Challenges

Storing the data in cloud is not that simple task. Apart from its flexibility and convenience, it also has several challenges faced by the consumers. The consumers require ability to:

  • Provision additional storage on demand.

  • Know and restrict the physical location of the stored data.
  • Verify how data was erased?
  • Have access to a documented process for surely disposing of data storage hardware.
  • Administrator access control over data.

Cloud Computing Data Storage

Cloud Storage is a service that allows to save data on offsite storage system managed by third-party and is made accessible by a web services API.

Storage Devices

Storage devices can be broadly classified into two categories:

  • Block Storage Devices

  • File Storage Devices

BLOCK STORAGE DEVICES

Block Storage Devices offer raw storage to the clients. This raw storage can be partitioned to create volumes.

FILE STORAGE DEVICES

File Storage Devices offers storage to clients in form of files, maintaining its own file system. This storage is in the form of Network Attached Storage (NAS).

Cloud Storage Classes

Cloud Storage can be broadly classified into two categories:

  • Unmanaged Cloud Storage

  • Managed Cloud Storage 

UNMANAGED CLOUD STORAGE

Unmanaged Cloud Storage means that the storage is preconfigured for the consumer. The consumer cannot format nor the consumer can install own file system or change drive properties.

MANAGED CLOUD STORAGE

Managed Cloud Storage offers online storage space on demand. Managed cloud storage system presents what appears to the user to be a raw disk that the user can partition and format.
Subscribe to: Posts (Atom)