Você está na página 1de 10


By: Benedict D. Sy Abstract The field of cloud computing is still in its infancy as far as implementation and usage, partly because it is heavily promoted by technology advancement and is so high resource dependent that researches in academic institutions have not had many opportunities to analyze and experiment with it. However, cloud computing arises from the IT technicians desire to add another layer of separation in processing information. At the moment, a general understanding of cloud computing refers to the following concepts: grid computing, utility computing, software as a service, storage in the cloud and virtualization. These refer to a client using a provider's service remotely, also known as in the cloud. Even if there is an existent debate on whether those concepts should be separated and dealt with individually, the general consensus is that all those terms could be summarized by the cloud computing umbrella. Given its recent development and scarcity of academic published work, many discussions on the topic of cloud security have surfaced from engineers in companies that provide the aforementioned services. Nevertheless, academia is developing in a significant presence, being able to address numerous issues. Introduction Cloud Computing frequently is taken to be terms that simply rename common technologies and techniques that we have come to know in IT. It may be interpreted to mean data center hosting and then subsequently dismissed without catching the improvements to hosting called utility computing that permit near real-time, policy-based control of computing resources. Or it may be interpreted to mean only data center hosting rather than understood to be the significant shift in Internet application architecture that it is. Organizations rather use the term service grid, frankly, but that name also has its problems. The fact is that cloud and service grid computing are paradigmatically different from their common interpretations, and their use can shed light on how internet architectures are constructed and managed. Cloud computing is not an innovation per se, but a means to constructing IT services that use advanced computational power and improved storage capabilities. The main focus of cloud computing from the provider's view as extraneous hardware connected to support downtime on any device in the network, without a change in the users' perspective. Also, the users' software image should be easily transferable from one cloud to another. Balding proposes that a layering mechanism should occur between the front-end software, middle-ware networking and back-end servers and storage, so that each part can be designed, implemented, tested and ran independent from subsequent layers. (Balding 2008).

1 University of Saint Louis Tuguegarao

Review of Related Literature This paper introduces the current state of cloud computing, with its development challenges, and further, it describes cloud computing security problems and benefits and showcases a model of secure architecture for cloud computing and its implementation issues. Cloud Computing
Keywords: Cloud Computing,Cyber Infrastructure, Virtualization,

What is a cloud computing? A key differentiating element of a successful information technology (IT) is its ability to become a true, valuable, and economical contributor to cyber infrastructure (Atk2003).Cloud computing embraces cyber infrastructure and builds upon decades of research in virtualization, distributed computing grid computing, utility computing, and more recently networking, web and software services. It implies a service oriented architecture, reduced information technology overhead for the enduser, greater flexibility, reduced total cost of ownership, on-demand services and many other things. Cloud computing has been defined as the use of a collection of distributed services, applications, information and infrastructure comprised of pools of computer, network, information and storage resources. These components can be rapidly orchestrated, provisioned, implemented and decommissioned using an on-demand utility-like model of allocation and consumption. Cloud service delivery models are Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). Cloud computing involves relocating a businesss data and applications into a highly sophisticated series of redundant servers strategically geographically located to serve that businesss purposes. The redundant servers allow users near perfect up time, accurate and timely data, and the ability for portable access according to (Samantha Morrow Virgie Ammerman December 2, 2010.)On the other hand Cloud Computing implies a service oriented architecture, reduced information technology overhead for the end-user, greater flexibility, reduced total cost of ownership, on demand services and many other things.(Mladen A. Vouk 2008 )While in the study of (Gartner 2009)Cloud computing is a style of computing where scalable and elastic IT-enabled capabilities are provided as a service to external customers using Internet technologies. Development challenges of a Cloud Computing in Higher Education The potential and efficiency of using Cloud Computing in higher education has been recognized by many universities among which are University of California, Washington State Universitys School of Electrical Engineering and Computer Science, higher education institutions from UK, Africa (Sultan, 2010), Cloud Computing offers to universities the possibility of concentrating more on teaching and research activities rather than on complex IT configuration and software systems (McCREA, 2009), through a fast IT implementation. According to Tout et al., 2009 complexity can be reduced with Cloud Computing. In addition, cloud solutions can be used to support cooperative learning and socially oriented theories of learning, using
2 University of Saint Louis Tuguegarao

computer technologies to support collaborative methods of instruction (Thorsteinsson et al., 2010). Cloud computing offers many benefits to e-learning solutions by providing the infrastructure, platform and educational services directly through cloud providers and by using virtualization, centralized data storage and facilities for data access monitoring (Pocatilu et al ., 2009). In order to ensure success in e-learning, universities use metrics systems adapted to measure the effectiveness of e-learning solutions based on the cloud. Currently, there are many practices and examples regarding the use of cloud computing. For instance, in Commonwealth, many colleges and universities had collaborated at the formation of Virginia Virtual Computing Lab (Wyld, 2009). This allowed institutions both to cut down IT expenses (by reducing the necessities of licensing and software updating) and to maintain its own data centers, as well as to improve IT resources for researches and students. By including the cloud services, North Carolina State University achieved a substantially decreasing of expenses with software licensing and at the same time to reduce the campus IT staff from 15 to 3 employees with full working schedule (Wyld, 2009). Another example is Kuali Ready (Bristow et al., 2010), a community-source project chartered to provide a business continuity planning service and it is also an example of higher education institutions organizing themselves to provide cloud services. Kuali Ready is a good early example of some key principles that are emerging to guide cloud developments. According to the study of Sasikala and Prema, 2010.The use of Cloud Computing in higher education must be analyzed both from the benefits point of view, as well as from that of the risks and limitations (table 1). After the analysis, one or more models of Cloud Computing may be chosen to be used. The decision must take into account the real needs and be aligned with the university strategy.

Threats and Security challenges According to the study of Kevin Hamlen,et.al,(2009) he focuses on storage security, middleware security, data security, network security and application security. The main goal is to securely store and manage data that is not controlled by the owner of the data and specific aspects of cloud computing. While Smith, 2009
stressed that with cloud computing, physical location of data are spread across geographic area that could span over continents, countries or regions. One of the top security concerns of enterprises are the physical location of the data that are being stored in the cloud especially if they are located in another country because the laws of the host country of the equipment apply to the data on the machines and that could be a big issue if the host country does not have adequate laws to protect sensitive data or if the host nation becomes hostile or when the government of the hosting nation changes and become unfriendly. While there have been instances where there has been a complete blackout of entire cloud

services and making it unavailable for hours and even days due to bugs. Google's Gmail went down for two hours, Ctrix's GoToMeeting and GoToWebinar were temporarily unavailable, Amazon.com's Simple Storage Service was "out of commission for excruciating eight hours" (Hoover, 2008). Imagine an enterprise that completely depends on a cloud computing service provider whose system had been disrupted for hours or days,
3 University of Saint Louis Tuguegarao

the lost of business could be catastrophic. Cloud computing faces just as much security threats that are currently found
in the existing computing platforms, networks, intranets, internets in enterprises. These threats, risk vulnerabilities come in various forms. (Cloud Computing Alliance, 2010)

(Croll2008) points out that start-up companies often lack the protection measures to weather off an attack on their servers due to the scarcity of resources - poor programming that explores software vulnerabilities (PHP, JavaScript, etc) open ports to firewalls or inexistent load-balance algorithms susceptible to denial of service attacks. For this reason, new companies are encouraged to pursue cloud computing as the alternative to supporting their own hardware backbone. However cloud computing does not come without its pitfalls for starters; a cloud is a single point of failure for multiple resources. Even though network carriers distributed cloud structure is the right implementation, it faces major challenges in finding the optimal approach for low power transmission and high network availability Major corporations will shy away from implementing cloud solutions in the near future due to ineffective security policies. One problem comes from the fact that different cloud providers have different ways to store data, so creating a distributed cloud implies more challenges to be solved between vendors (Ponemon 2009). According to Pfleenger, 2006 vulnerability is a weakness in the security system that could be exploited to cause harm. Enterprise cloud computing is just as vulnerable as any other technology that uses the public internet for connectivity.While moving data to a cloud, service is just like putting all your eggs in one basket (Perez, 2009) Implementations and Policies According to Traian Andrei, 2009 the cloud should have policies that divide the users' view of one application from the backend information storage. This may be solved by using virtualization, multiple processors or network adaptors. While Mladen A. Vouk ,2009 stated that Cloud computing builds on decades of research in virtualization, distributed computing, utility computing, and more recently networking, web and software services. It implies a service oriented architecture, reduced information technology overhead for the end-user, great flexibility, reduced total cost of ownership, on demand services and many other things. Cloud computing deployment decisions are frequently made by end-users who may not have the knowledge or expertise to properly evaluate security risks. Risk according to SAN Institute, 2009 "is the potential harm that may arise from some current process or from some future event." In IT security, risk management is the process in which we understand and respond to factors that may lead to a failure in the confidentiality, integrity or availability of an information system (SAN Institute); the IT security risk is the harm to a process or the related information resulting from some purposeful or accidental event that negatively impacts the process or the related information (SANS Institute). Edwards (2009) stated that, with the security risk and vulnerability in the enterprise cloud computing that are being discovered enterprises that want to proceed with cloud computing should, use the following steps to verify and understand cloud security provided by a cloud provider:1.)
4 University of Saint Louis Tuguegarao

Understand the cloud by realizing how the cloud's uniquely loose structure affects the security of data sent into it. This can be done by having an in-depth understanding of how cloud computing transmit and handles data. 2.) Demand Transparency by making sure that the cloud provider can supply detailed information on its security architecture and is willing to accept regular security audit. The regular security audit should be from an independent body or federal agency. 3.)Reinforce Internal Security by making sure that the cloud provider's internal security technologies and practices including firewalls and user access controls are very strong and can mesh very well with the cloud security measures.4.)Consider the Legal Implications by knowing how the laws and regulations will affect what you send into the cloud. 5.)Pay attention by constantly monitoring any development or changes in the cloud 5technologies and practices that may impact your data's security. Governance Strategy and Good Governance Technology According to (Kobielus, 2009) moving into the cloud computing requires a good governance strategy and a good governance technology. Interest in governance has been revitalized because trust is being extended to a cloud provider across premise and across corporate boundaries. A cloud computing governance function requires active management participation, the proper forum to make IT related decisions, and effective communication between the IT organization and the company's management team. While Maches, 2010 proposed cloud risk management be included in the cloud computing governance function that requires risk awareness by senior corporate officers, a clear understanding of the enterprise's appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the IT organization. Cloud Computing Strengths/Benefits Cloud computing weakness include list of issues such as the security and privacy of business data being hosted in remote 3rd party data centers, being lock-in to a platform, reliability/performance concerns, and the fears of making the wrong decision before the industry begins to mature (Hinchcliffe, 2009).While According to Bendandi, 2009 the top security benefits of cloud computing includes: The security and benefits of scale that all kinds of security measures are cheaper when implemented on a large scale including all kinds of defensive measures such as filtering, patch management, hardening of virtual machine instances and hypervisors, etc. The benefits of scale also include multiple locations, edge networks (content delivered or processed closer to its destination), timeliness of response to incidents and centralized threat management. Security as a market differentiator that give cloud providers a strong driver to improve security practices and many cloud customers will buy on the basis of the reputation for confidentiality, integrity and resilient of and the security services offered by a provider Large cloud providers will offer a standardized, opened interface to manage security thereby opening a market for security services. Rapid and smart scaling of resources where cloud provider
5 University of Saint Louis Tuguegarao

dynamically reallocate resources for filtering, traffic shaping, authentication, encryption and defensive measures such as distributed denial-of-service (DDoS) attack. The cost of cloud computing in information security management includes the costs of migrating, implementing, integrating, training, and redesigning. Also it includes the cost of training supporting people in the new processes. The new architecture could generate new security holes and issues during redesigning and deploying the implementation thereby driving cost up. In the application areas in information risk management, cloud computing is commercially viable alternative for enterprises in search of a cost-effective storage and server solution (Waxer, 2010).But Gartner Inc. predicts that by 2012, 80 percent of Fortune 1000 enterprises will pay for some cloud-computing service (Waxer, 2010), while 30 percent of them will pay for cloud-computing infrastructure. While the technology has its fair share of drawbacks (such as privacy and security concerns), an undeniable potential benefit is turning a lot skeptics into enthusiasts (Waxer, 2010). Self Hosting vs. Cloud Hosting Microsoft, 2009 classifies assets to cloud hosting to determine the strength of security controls to apply. The categories take into account the relative potential for financial and reputational damage should the asset be involved in a security incident. Once classified, a defense-in-depth approach is taken to determine what protections are needed. For example, data assets falling into the moderate impact category are subject to encryption requirements when they are residing on removable media or when they are involved in external network transfers. High impact data, in addition to those requirements, is subject to encryption requirements for storage and for internal system and network transfers as well. While according to David Molnar, Stuart Schechter 2009 Self hosting provides greater direct control over infrastructure than can be achieved when leasing shared infrastructure from the cloud. In particular, cloud providers can afford security measures with upfront costs that would be unaffordable in self-hosting environments, amortizing these costs over myriad machines or tenants. In the study of Garnkel et al, 2009 he stated that for new security features that could Hosting be
deployed to cloud tenants, work shows how to detect malware from scanning memory images, and more generally how to identify specific objects in a memory dump. Cloud providers could use this functionality as part of a cloud infrastructure to audit tenant execution with modest overhead. Describe architecture for embedding intrusion detection directly inside a hypervisor Secure Architecture models

Open Security Architecture (OSA) provides free frameworks that are easily integrated in applications, for the security architecture community. Its patterns are based on schematics that show the information traffic flow for a particular implementation as well as policies implemented at each step for security reasons. The important entities involved in the data flow are end users, developers, system architect, 3rd party auditors and the cloud itself. (Bendandi, 2009)

6 University of Saint Louis Tuguegarao

According to Ponemon, 2009, end users need to access certain resources in the cloud and should be aware of access agreements such as acceptable use or conflict of interest. In this model, end user signatures may be used to confirm someone is committed to such policies. The client organization should run mechanisms to detect vulnerable code or protocols at entry points such as firewalls, servers, or mobile devices and upload patches on the local systems as soon as they are found. Thus, this approach ensures security on the end users and on the cloud alike. However, the cloud needs to be secure from any user with malicious intent that may attempt to gain access to information or shut down a service. For this reason, the cloud should include a denial of service (DOS) protection. One way of enforcing DOS protection is done by improving the infrastructure with more bandwidth and better computational power which the cloud has abundantly. However, in the more traditional sense, it involves filtering certain packets that have similar IP source addresses or server requests. The next issue concerning the cloud provider to end users is transmission integrity. One way of implementing integrity is by using secure socket layer (SSL) or transport layer security (TLS) to ensure that the sessions are not being altered by a man in the middle attack. At a lower level, the network can be made secure by the use of secure internet protocol (IPsec). Lastly, the final middle point between end users and the cloud is transmission confidentiality or the guarantee that no one is listening on the conversation between authenticated users and the cloud. The same mechanisms mentioned above can also guarantee confidentiality. While according to Gartner, 2008 system architects are employed with writing the policies that pertain to the installation and configuration of hardware components such as firewalls, servers, routers, and software such as operating systems, thin clients,etc. They designate control protocols to direct the information flow within the cloud such as router update/queuing protocols, proxy server configurations or encrypted tunnels. Gartner also points out that developers building an application in the cloud need to access the infrastructure where the development environment is located. They also need to access some configuration server that allows them to test applications from various views. Cloud computing can improve software development by scaling the software environment through elasticity of resources. Developers may desire extra virtual machines to either generate test data or to perform data analysis, processes which take significant time. Also, using more processing power from the cloud can help in catching up with the development schedule. The cloud also helps developers create multiple evaluation versions environments for their applications, bypassing the need to incorporate additional security within the application and placing the burden on the cloud provider. One significant drawback of cloud computing at the moment is its limitations to Intel x86 processor architecture. Even if this may very well change in the future, it is another stumbling block that developers and cloud computing experts need to overcome. Software monitoring may be done by monitoring API calls for server requests. With an architectural model where data is centralized, all eyes are focused in one direction, which implies better monitoring, although ultimately the issue rests with the developers/clients on how much effort will be directed in this regard. As far as security patches for the software as service approach, updating a
7 University of Saint Louis Tuguegarao

patch is easier done in the cloud and shared with everyone seamlessly, rather than finding every machine that has the software installed locally.( IBM 2009 ) Third party auditors are used by clients and providers alike to determine the security of the cloud implementation. Depending on the level of commitment to security and usefulness in obtaining a competitive edge, a cloud vendor may choose to submit itself to regular security assessments in an attempt to obtain accreditation. The accreditation process needs to be undertaken every three years. Thus, in order to lower the constraints on the cloud vendor, some organizations may implement continuous monitoring of the cloud system. (Weinberg, 2008) Conceptual Framework

Cloud Computing

Chalenges measures


Implementation s/Policies


Confidentialit y

Strategies Models


8 University of Saint Louis Tuguegarao

Conclusion In this study Ive learned that deploying cloud computing technology brings significant security and implementation concerns. Successful implementation of cloud computing requires proper planning and understanding of emerging risks, threats, vulnerabilities, and possible countermeasures. Enterprise should analyze the company/organization security risks, threats, and available countermeasures before adopting this technology. And what are the security concerns that are preventing companies/organization from taking advantage of the cloud? And also by considering architecture models that should be implemented before adopting this technology. Implications for further research The implications of this study were the number of uncertainties from a cloud computing technology perspective and the current state of the different implementation measures. And how does the simple security model known as the CIA for Security (Confidentiality, Integrity and Availability) pertain to cloud computing? And all of the best practice processes for securing the implementations that would still apply with cloud computing as always happens when we introduce new technology to gain some new capability, we also add new risks, vulnerabilities and exploits upon knowing the implementation measures in the current and future state of this technology in the academe and in corporate organizations. References F. Chang, J. Dean, S. Ghemawat, W. C. Hsieh, D. A.Wallach, M. Burrows, T. Chandra, A. Fikes, and R. E. Gruber. Bigtable: a distributed storage system for structured data. In OSDI 06: Proceedings of the 7th edition Croll(2008) Alistair Croll, "Why Cloud Computing Needs Security", 2008 (Erickson2008)Jonothan Erickson, "Best Practices for Protecting Data in the Cloud", 2008 (Brodkin 2008 ) Jon Brodkin, "Seven Cloud-Computing Security Risks", 2008 (Mills 2009) Elinor Mills, "Cloud Computing Security Forecast: Clear Skies", 2009 (Schwartz 2008) Ephraim Schwartz, "Hybrid model brings security to the cloud", 2008 (OCC 2008) The Open Cloud Consortium, 2008 ( OSA 2009] Open Security Architecture, 2009 (Jager2008)Paul Jaeger, Jimmy Lin, Justin Grimes, "Cloud Computing and Information Policy", March 2008 (Rittinghouse 2009) John Rittinghouse, "Cloud Computing: Implementation, Management, and Security", 2009 (Armrust 2009) Michael Armbrust, Armando Fox, ... , "Above the Clouds: A Berkley View of Cloud Computing", February 10, 2009 [Reese09] George Reese, "Cloud Application Architectures", April 2009, O'Reilly Media (Gu 2008) Yunhong Gu, Robert L. Grossman: Sector and Sphere: The Design and Implementation of a High
9 University of Saint Louis Tuguegarao

Performance Data Cloud, UK, 2008. Bendandi, S. (2009). scribd.com. Cloud computing: Benefits, risks and recommendations for information security. Bibliography Benedict D. Sy proponent of the paper entitled Implementation Measures on Cloud Computing is a graduate of BS in Information Management class of 2007 and currently taking up his Masters in Information Technology in University of Saint Louis Tugueagarao (USLT). And He is currently teaching IT professional subjects at University of Cagayan Valley (UCV). He had also attended various seminars and training programs in ICT and also conducted lectures and trainings related to business and IT profession in various schools. He was also the current department adviser of the College of Computer Engineering and Information Technology of their University.

10 University of Saint Louis Tuguegarao