SlideShare a Scribd company logo

Cloud computing & IAAS The Dual Edged Sword of New Technology

M
Mekhi Da ‘Quay Daniels

The document discusses the emergence of Infrastructure as a Service (IaaS) within cloud computing, emphasizing its benefits and the essential security considerations that must be addressed. It outlines the responsibilities of IaaS providers, the potential security challenges such as loss of data control and cloud server reliability, and best practices for secure implementation. Key areas of focus include physical security measures, secure programming principles, data validation processes, and the importance of real-time security monitoring to mitigate risks associated with cloud services.

Business
1 of 8
Download to read offline
1
2
3
4
5
6
7
8
1 | P a g e Cloud Computing: Infrastructure As A Service - The Dual-Edged Sword of New Technology By Mekhi D., Tyler L., William M. Abstract: Cloud Computing has emerged as the premier infrastructure for creating affordable, scalable and reliable IT solutions for companies of all sizes. However, as with all new technologies, Cloud Computing poses many demanding security considerations, and each must be addressed to ensure the confidentiality, integrity, availability, authenticity, and privacy of a developer’s product. This paper will focus on Infrastructure as a service (IaaS), a subset of cloud computing that provides virtualized computing resources over the internet. An IaaS provider is responsible for hosting infrastructure components such as servers, storage space, and networking hardware to alleviate the cost burden from their consumers of having to maintain such facilities on-site. Companies such as Amazon, Google, Microsoft and Digital Ocean have created an industry worth billions of dollars to provide this very service to businesses of all sizes. For example, Lyft, the second biggest ridesharing company in the world, relies on Amazon’s IaaS, complemented by Amazon’s SaaS, to run much of their external consumer network. Lyft has credited much of the success of their product to the demand-based elastic server and resource allocation features provided by Amazon Web Services.[13] This paper will breakdown the security challenges of IaaS usage and implementation into physical infrastructure security considerations, the necessary secure programming principles, and cryptographic techniques for securing data, and make recommendations for best practices when moving to an IaaS solution. Keywords— Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Amazon Web Services (AWS), Virtual Personal Network (VPN), Cryptography, Digital Certificate, Hardware Security Module, PKI, Encryption, I. INTRODUCTION Infrastructure as a Service (IaaS) as a concept came into fruition in the 1990’s alongside the usage of VPNs by telecommunication companies. These companies realized that they were able to switch from physical point-to-point connections to VPN-enabled connections with comparable quality of services, with a lowered cost for both the consumer and the organization. VPNs also gave organizations better control over sever processing usage by allowing them to dynamically allocate network traffic in response to demand. Over time, as the technology matured, businesses extended the boundaries of cloud computing to cover all servers and most network infrastructure functions, and thus IaaS was born[6]. “In terms of business, cloud computing is becoming more and more important” [7]. In the last ten years, with the creation of companies such as Amazon Web Services, the IT industry has become dominated by the usage of IaaS to provide the services traditionally accomplished by hosting costly on-site hardware installations. As Anand states, “the advantages of cloud services for the customers include lowering the costs for managing huge resources, as now the companies need not manage the resources which are managed by the CSPs such as Google, Amazon, Microsoft etc. Moreover, the computer resources may be used on demand basis such as on pay-per-use basis by the customers”[4]. Though IaaS products are cost-effective and low maintenance when provisioned correctly, consumers are realizing that this freedom from a rigid cost structure comes with a loss of security in three ways:  Users will lose their physical control over the data once they outsource their data to cloud servers, and the integrity of data may be violated without user awareness [5].  Cloud server providers may behave unfaithfully toward the data owners [5].  Even if the cloud server is honest, there still exists the possibilities of cloud server failure and management errors or adversary attacks, which can lead to the corruption of stored data [5].
2 | P a g e The next section will address the secure programming principles and techniques necessary, and commonly used, to address the common vulnerabilities found within an organization’s usage and implementation of an IaaS-modeled system. II. SECURING THE PHYSICAL INFRASTRUCTURE A. Availability and Natural Diasasters One of the defining characteristics of an IaaS model is guaranteeing high availably, in that if the services are configured properly, the end users will not have downtime because of hardware or service limitations from the IaaS provider. Part of the allure of using an IaaS provider is that provisioning a facility with the necessary infrastructure to support high availably is extremely costly, given that “to ensure the facilities maintain uptime should they come under attack from natural sources or otherwise, physical security is not only limited to the outside of the building. Data centres need utilities to be resilient and redundant so if one system fails, there is a backup. These include water, power, telephone lines and air filtration systems to ensure security systems, heating, ventilation and air conditioning continue to operate in case of an area-wide power outage” [1]. Natural disasters and terrorist threats are of chief concern when planning the design of data center facilities, and to allay these concerns cloud data centers must be built to withstand hurricanes, earthquakes, terrorist attacks, loss of power and other disasters. Certifications and compliance exist to certify preparedness for these types of threats, such as Uptime Institute Tier III and ISO27001, which both use independent auditors to determine if a facility can withstand extreme weather/threats and still offer high availability, as well as have full redundancy in the physical implementation of the hardware systems. B. Controlling and Monitoring Access Part of data security in an IaaS cloud data center relies on controlling how the facility is accessed. Keeping people out who are not supposed to have access to hardware containing private data is a fundamental component of defending against social engineering and terrorist attacks. There are seven broad categories that are implemented [1]:  Fencing or a physical barrier a minimum of three meters in height.  Trembler wire on top of the fencing with a zoned alarm system for identifying breaches  Surveillance cameras on all entrances, exits and possible access points  Security team with on-site personal 24/7  Strict control of where vehicles can park for building access  Photo authentication and access control with different levels for appropriate areas of the facility.  Biometrics for monitoring the amount of people in a given area of the facility. Physical security is just the starting point for security in the cloud, secure programming techniques also play an equal part in keeping information safe in a cloud computing facility. III. SECURE PROGRAMMING PRINCIPLES AND TECHNIQUES A. Choosing the Right IaaS Provider True security starts from the foundation up, the security of an organization’s program will only be as secure as the infrastructure in which the program will be run/executed. As such, one of the most important and time-consuming parts of the implementation of an IaaS service is choosing the right provider who best meets your business needs, currently and in the future. When organizations are considering the outsourcing of internal technologies through IaaS, they must understand the different features that each IasS provider has to offer, and how each tooling set will interact with the current system the organization has in place. Only then can an informed decision be made to determine which service provider can provide the most applicable categorized gains to all organizational stakeholders. The following is an overview of some of the considerations that must be taken when developing a secure IaaS pipeline:  Type of Cloud Service Required: There are various types of cloud services.. The chart below will provide more detail on the types and how they can be used. The various types are designed to be specific to an organization’s needs.
3 | P a g e Table 1 [14]: Comparison of Cloud Computing Service Models Model Scope Managed By Security Level Public Model General Public and Industries Cloud Service Providers Low Private Model Single Organization Single Organization High Community Mode Organizations having similar policies and same security concerns Many organizations and IaaS providers High Hybrid Model Public and organization Public and organization Medium  Security Redundancy: An IaaS must have multi layers of security, such as Input Data Validation tools. Without these layers of security, an organization not only risk the security of their application, but will not be able to effectively protect the sensitive information that must be transmitted through the third-party IaaS network.  Providers who cater to business size/ Flexible capacity: Many of the industry leaders in IaaS chose to specialize their service to a desired client business size. When considering IaaS providers, one must look at providers that are able to provide a level of service a given business requires and determine if the IaaS provider will be able to grow as the business needs increase. [13]  Integration/ Interoperability: An IaaS provider should be assessed on the ability of the IaaS to smoothly integrate with existing software. When systems are not compatible, it can lead to security flaws due to missing features in the new host system. Fixing this issue requires expensive refactoring of the existing products, but refactoring has its own set of problems and bugs that can crop up even after the products are in production in the new environment.[12]  Usability: Usability is defined as the ease of use and learnability of a platform which is very important for modern-day companies. One must determine if a company’s existing staff will be able to smoothly operate the new network infrastructure with limited business disruption before switching to an IaaS based solution.  Provider’s offering of Cloud Management Tools: In addition to the IaaS product suite, some IaaS providers will provision their consumers with cloud management tools. These tools allow organizations optimize their service and gain insight on their own processes through analytical tooling and services provided by the IaaS providers.[12]  Providers with Disaster Recovery Solutions: Companies will never know when they’re about to be the target of malicious breach, especially when most network traffic may run through the third-party’s IaaS product. Even though cyber-attacks cannot be fully prevented, Disaster Recovery Solutions are a valuable resource in the effort to minimize the business disruption of such an attack.[12] The bullet points above illustrate a process that is unique to every organization and must be adapted around the business needs of a given industry. IaaS providers can also be evaluated on the Security-by-Design principles to gain a firm understanding on what are the necessary foundational security features that must be exhibited in any potential IaaS provider. [13] B. Security-By-Design Security-by-Design is defined as an approach to security that has been molded as a foundational platform for any developer/organization to formalize infrastructure design and automate security controls so that one can build security into every part of an infrastructure. Because of this formalization of principles, there are common rules that can be applied to emerging technologies, in this case adapted for IaaS technology[14]:  Principle of Least Privilege: IaaS Providers and consumers must focus on having solid tooling and procedures for monitoring and controlling access control. The most effective method of accomplishing this goal is to follow the principle of least privilege. The principle requires that only the necessary permissions are granted to users, to prevent privilege creep. The principle also addresses credential sharing, as in order to quickly isolate a security incident you must ensure that
4 | P a g e each member/group has their own credentials on the system.  Layered Security: Security must be a concern addressed throughout the infrastructure on both the provider and consumer side of the service. “…distributed architectures, massive resource sharing and virtual machine (VM) instances synchronization imply more data in transit in the cloud, thus requiring VPN mechanisms for protecting the system against sniffing, spoofing, man-in-the-middle and side-channel attacks” [6]. For example, if utilizing AWS there must be well defined and proper security control in the following areas: o Edge Network o Virtual Private Cloud o Subnet o Load Balancer o Every Instance o Operating system o Application Logic o IAM Each component is necessary for the creation of a secure infrastructure.  Procedures of Incident Response & Management: Even with the best security measures in place, a security developer must understand that failure is always a possibility. The only way to plan for an inevitable moment of failure is to have an established Incident Response Plan in place to effectively respond to a breach. An incident plan must be in place on both sides of the consumer-provider relationship, and these plans should be shared in order to ensure efficiency when responding to a security incident. The rule of thumb is to approach a development project from a pessimistic view, so all the potential flaws can be addressed before they become a vulnerability in the product once in production.  Data Prioritization: At the end of the day, data security is not an option when considering cloud security principles. Data is the main target of attack by malicious actors, and as such should be protected at all cost, within reason. When considering data as applied to cloud technologies, it can be categorized as follows: o Data in Transit: Data in transit is classified as data transmitted between servers within the organizational infrastructure or between the servers and the internet. Some of the common methods of securing the above stated data is the usage of proper transmission protocols such as Transport Layer Security (TLS) or HTTPS. Unfortunately, using secure protocols is often not enough to secure data in transit, as the virtual machines that are used in cloud computing communicate with each other over an internal software backplane that cannot be monitored/controlled with standard network security controls [8]. o Data at Rest: Data at rest is classified as data stored in storage mediums, including block storage, databases, and object storage. The most prevalent security best practice is the usage of encryption to protect this data.[8] Security by Design was created to act as a guideline for the development of any given security system. The principles can be followed to ensure that security is placed at all necessary layers of a given system, in both the physical and virtual components. C. Data Validation (Input/ Output) Data Validation is defined as the process of ensuring data has undergone “cleansing”, which ensures that the data is correctly formatted and relevant to the application. For IaaS providers to ensure that data is correctly protected within the cloud infrastructure, developers need to classify the data accurately and monitor how and when it is accessed. The most important and common data validation process occurs when verifying the username and password of a potential user on a platform. The new wave in technology is interconnectivity, which is the ability to access multiple databases in one application to expediate the process of a task completion for the end user. With the two following aspects combined, the need for proper data validation principles has never been so intense. To properly perform this task, data validation processes/procedures must be maintained on all sides of the data transaction, meaning that as the consumer, one must have correct data validation procedures in place as well. This ensures that if inaccurate data manages to surpass the provider’s data validation processes, it won’t allow the inaccurate data to be inputted for authorization into an organization’s system. When developing data validation procedures, experts like to categorize the processes into input and output related data validation. These two types will be explained in more detail below:
5 | P a g e  Input Validation: is defined as the proper testing of an input supplied by a user or an application. The purpose is to prevent improperly formatted data from entering the input system (IS), which deters malicious actors from attempting to breach the system. Failure to perform this process can lead to injection attacks, memory leakage, and eventually compromised systems. The common techniques used to accomplish input validation include: o Whitelisting: The process of dictating to the IS to only pass along data if it is included in the “whitelist” of expected data. This is the preferred method as it is easier to predict the allowable data input types than it is to predict every possible unallowable data field [5]. o Blacklisting: The process of dictating to the IS to not pass along a data item if it is specified on the “blacklist”. This method is generally less used due to the time-consuming nature and inability to fully predict every unallowable data field input.  Output Encoding: The process of transforming all characters of an untrusted output into an alternative representation for comparison purposes to validate the output before continuing along the data stream process. The purpose of which is to convert the data into a safe format where the input can be displayed as data to the user without the actual execution of code within the browser. Failure to follow output encoding procedures can lead to cross-site scripting vulnerabilities by allowing for the injection of client-side script code. Data Validation is a process that must be included into every application, to act as a preventive measure against a variety of malicious attacks. Preventive measures will eventually fail, so in order to prepare for this inevitability procedures must be in place that can alert the appropriate staff and provide the necessary information for the isolation and remediation of a potential attack. This is where the principles of security monitoring come into play. D. Real-Time Security Monitoring Due to the interconnectivity of modern information systems, the approach to monitoring data has been completely reshaped in the past two decades. Before the age of Big Data, monitoring principles were slow- acting reactive measures that would only alert the user after an attack had occurred with very minimal information being provided, providing the user with limited courses of remediation. Now monitoring principles have been re-tooled as fast reactive measures that issue alerts against an ongoing attack, accompanied with hefty amounts of information that provide the user with multiple methods of remediation in real-time to minimize the business disruption cause by a breach. IaaS provides bundle security services in their subscription services. Typically, these services are automated solutions responsible for the constant supervision of virtual and physical servers to identify any potential security threats. The correct utilization of these procedures will create various benefits for any organization, including the following:  Prevents loss of business due to customer frustration by ensuring that their Personally Identifiable Information (PII) is safe.  Used effectively, IaaS security services can minimize the risk/ease of using the cloud for the transferring and storage of data.  Security features allow businesses to fully utilize the cloud without the improper hindering of the business procedures  Establishment of a network baseline, which can used for comparison purposes to identify any inconsistent activity. Allowing for faster response times to security incidents.  Collection of incident-related data to be stored in case the type of attack wagered was encountered again, and to provide organizations with the necessary evidence to proceed with legal actions, if necessary, in the event of an attack. Monitoring acts as the last line of defense in most systems, and in a world where attackers don’t work on the 9-5 time frame this system must continuous be running to be fully effective. IV. CRYPTOGRAPHY Cryptography has a variety of definitions depending on the person you ask. According to Pathan, “Cryptography is a science that employs mathematical logic to keep information secure and includes techniques such as hiding information in images (steganography), hiding information in storage, or in transit.” [10] We can store sensitive information and transmit information securely over insecure networks to reduce the risk of an attacker altering or viewing that information. There are many different types of algorithms that have been used for cryptographic purposes, going back to the German Enigma machine in WWII to present
6 | P a g e day methods like AES and RSA. These algorithms take plaintext and logically scramble the data via encryption, which then becomes the ciphertext. Cryptographic keys are truly random after the algorithm is performed on the data, which is essential to keeping this information out of the wrong hands. Truly random keys make it nearly impossible for attackers to access data if the algorithm is up to today’s standards, which are decided by Cryptanalysis professionals in concert with research and community consensus. This standard is an evolving benchmark, as computing power continues to increase and become less of a factor in the time it takes for cryptographic keys to be cracked. Cryptography uses ciphers to encrypt and decrypt the data. There are two major ciphers, stream cipher and block cipher. Stream ciphers encrypt the data one bit at a time. Block ciphers chunk the data into 64-bit blocks and encrypt each block separately [10]. There are many functions that cryptography serves for an organization. The main areas of security are confidentiality, integrity, and availability. Cryptography covers confidentiality, integrity, authentication, and non-repudiation [10].  Confidentiality is insuring that only authorized individuals can access confidential information when they need to.  Integrity is the accuracy of information from the time the message is sent to the time it is read. Creating a hash for a message is one way to ensure message integrity. If the hash at the beginning is the same as the hash that the receiver sees, then the message has not been altered.  Authentication is the validation of identities between all parties in communication with each other and ensuring that they are who they say they are.  Nonrepudiation exists so that someone cannot deny actions in communications in effort to make sure that everyone is liable for a message that they send. Cryptography has many sub-departments such as Public Key Infrastructure (PKI), Key Management, Secure Shell Keys (SSH), symmetric cryptography, and asymmetric cryptography. Cryptographic professionals working in an organization would be responsible for making sure web servers have valid certificates, Linux systems have valid SSH Keys, data is encrypted in all three formats (rest, transit, use), digital signatures are attached to messages, encryption keys are rotated based on a validity period, and essentially all confidential data in the organization is safe from unauthorized access. V. DIGITAL CERTIFICATES Digital certificates are used to authenticate a user in electronic transactions [10]. Certificates can be compared to a driver’s license. They can be placed on a web server in order to encrypt the data and function over port 443 (Https). The other resides on the user’s machine. This works as a handshake. The user and server make a mutual hello to establish connection, the server provides the certificate, the server and user exchange cryptographic keys, user sends their certificate, messages are sent/receives over an encrypted channel. The virtualized nature of IaaS solutions leads to most organizations utilizing a Public Key Infrastructure (PKI) setup which requires a dedicated group to manage digital certificates and hardware security modules to store the encryption keys [10]. PKI uses asymmetric cryptography which uses two keys, public and private but both are mathematically generated. The sender encrypts the data with the receiver’s public key so that the message can only be decrypted by the receiver with their private key. This is compared to symmetric cryptography where only one key is used to encrypt and decrypt data by the sender and receiver. Web transactions are encrypted using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) which is more prevalent today as TLS is considered more secure than SSL. Of course, both TLS and SSL have many versions with the intention to improve the current state. The most current and approved standard for TLS in 1.2. TLS 1.3 is released but still requires some tune ups which is why most organizations haven’t adopted the new protocol. Nonrepudiation and digital signatures use digital certificates as their proof of identity. This makes sure that the sender is who they say they are and so that they cannot deny any messages that were sent with their digital signature in the future. VI. HARDWARE SECURITY MODULES (HSM) Hardware Security Modules (HSM) are pieces of equipment that are usually one unit in a server rack that store items such as encryption keys. HSMs require a pin entry device and several members of the cryptography team to log in to the HSM for separation of duties. Not one person should be able to login and perform all the functions as that person would be a superuser. Usually, one person would enter half of the administrator password, someone else would enter the
7 | P a g e other half, one person would perform the functions and configuration required on the HSM, and another person would enter the pin into the device. Each action is supervised by someone else in case of mistakes. There are several types of HSMs depending on the industry. There is equipment for the payment card industry, key management, and federal requirements and highly confidential data. Now, they can be virtualized for easier access and less capital costs for the organization. Basically, the end goal with an HSM is storing sensitive data in a way that no third party can tamper with the data housed on it. An HSM will be virtualized with remote access capabilities or the hardware will be on premise with physical access [11]. They have firewall controls within each device as well as multi-tenancy options [11]. The HSM has several partitions where each is usually assigned to a specific application and their corresponding encryption keys. Each key has a life cycle and needs to be replaced after a certain amount of time that is determined by NIST or any governing body that your organization falls under. Hardware Security Module VII. CRYPTO IN THE CLOUD Cloud security has been one of the more popular topics ever since the beginning of cloud computing. How can an organization utilize cloud computing while remaining secure? We can do this with a Hardware Security Module (HSM). End-to-end communication between the organization and cloud application will go through the HSM for encryption [11]. This way, if the cloud provider suffers a data breach, the organization’s data resides the HSM, which is encrypted separately with the organization having complete control over the security of their data in the cloud. This strategy also ensures that the cloud provider isn’t tampering with the organization’s data. Placing data in the cloud is essentially taking your personal data and letting it sit on someone else’s computer where you can still access it if you need to. At any time, that person can remove your access but still have your data. They could also be accessing your data without your knowledge. As an organization who is responsible for that data, we need to make sure we have the control over security so that security isn’t based on trust. This route should be taken by organizations to make sure their data is secure in the cloud. Cloud computing isn’t going away, but rather becoming more prevalent in the world today. Security professionals need to understand the cryptography aspects and apply them in their organization to optimize data security in the cloud. We need to remember that security depends on the appropriate protection mechanism of the weakest link in the entire security organization [10]. If that weakest link is the cloud, but the rest of the organization has minimal vulnerabilities, they are not secure because all of that data in the cloud can be compromised at any given time. That data may be highly confidential and could possibly cost the organization a significant amount of money or even running the business into the ground. Oil is no longer the world’s most valuable resource, data is. We need to spend the money, time, effort, and invest into professionals and can keep the organization’s data secure and keep the name of the organization out of media headlines. VIII. CONCLUSION IaaS services have significant benefits in comparison to the on-site, departmentally managed IT infrastructure that was the prevailing norm for many years. The level of access, ease of management, and dynamic provision capabilities that IaaS services offer bring the complexity and cost of managing sophisticated hardware and software to a new level of approachability and affordability. Successful utilization of IaaS cloud services requires careful consideration of data security in IaaS products. However, ss long as careful research is done into an IaaS provider’s facility, and the right application of cryptographic protocols and secure programming techniques is used on the client side, a reasonable amount of security can be achieved for most IT solutions. Additionally, the flexibility of IaaS products make it possible to scale services and applications with low security priority in the cloud alongside in-house servers to create hybrid systems that are both secure and cost-effective.
8 | P a g e IX. REFERENCES [1] Watkins, Darren. “Protecting Your Data Infrastructure.” Credit Control, vol. 38, no. 3/4, Mar. 2017,pp.57–59. EBSCOhost. [2] Anand, A. (2017). “Cloud computing and cloud related security issues.” International Journal of Advanced Research in Computer Science, 8(5) Retrieved from https://reddog.rmu.edu/login?url=https://reddog.rmu.edu:3479/ docview/1912631341?accountid=2836 [3] D. Gonzales, J. M. Kaplan, E. Saltzman, Z. Winkelman and D. Woods, "Cloud-Trust—a Security Assessment Model for Infrastructure as a Service (IaaS) Clouds," in IEEE Transactions on Cloud Computing, vol. 5, no. 3, pp. 523-536, 1 July-Sept. 2017. [4] Kratzke, Nane. (2018). “A Brief History of Cloud Application Architectures.” Applied Sciences. no. 8, pp. 1368. EBSCOhost. [5] Xu, Zhiyan, et al. “Security Analysis of a Publicly Verifiable Data Possession Scheme for Remote Storage.” Journal of Supercomputing, vol. 73, no. 11, Nov. 2017, pp. 4923–4930. EBSCOhost. [6] Gonzalez, N., Miers, C., Redígolo, F., Simplício, M., Carvalho, T., Näslund, M., & Pourzandi, M. (2012). “A quantitative analysis of current security concerns and solutions for cloud computing.” Journal of Cloud Computing, 1(1), 1- 18. [7] Müller, A., Ludwig, A., & Franczyk, B. (2017). “Data security in decentralized cloud systems – system comparison, requirements analysis and organizational levels.” Journal of Cloud Computing, 6(1), 1-9. [8] X. Yin, X. Chen, L. Chen, G. Shao, H. Li and S. Tao, "Research of Security as a Service for VMs in IaaS Platform," in IEEE Access, vol. 6, pp. 29158-29172, 2018. [9] Bhadauria, R., Chaki, R., Chaki, N., & Sanyal, S. (2014). “SECURITY ISSUES IN CLOUD COMPUTING.” Acta Technica Corviniensis - Bulletin of Engineering, 7(4), 159- 177. Retrieved from https://reddog.rmu.edu/login?url=https://reddog.rmu.edu:3479/ docview/1618069466?accountid=28365 [10] Al-Sakib Khan Pathan. “Basics of Security and Cryptography”. Vol 1. Pp 1-10, 2017. [11] Ultimaco. “Ultimaco Brings the Power of Hardware Security Module Technology to the Cloud”. Vol 1, pp 1-2, 2015. [12] Bhardwaj S., Jain L., Sandeep J.(2015). “Cloud Computing: A Study Of Infrastructure As A Service (Iaas).” International Journal Of Engineering And Information Technology,2(1), 1- 10. [13] Chong N.(2019). “Cloud Computing Challenges in a General Perspective.” Journal of Computing and Management Studies, 1(3), 1-5. [14] Rashid A., Amit C.(2019) “Cloud Computing Characteristics and Services: A Brief Review.” International Journal of Computer Sciences and Engineering, 7(2),1-6.

More Related Content

PDF
Risk management for cloud computing hb final
Christophe Monnier
 
PPTX
Cloud is not an option, but is security?
Jody Keyser
 
PDF
Trust based Mechanism for Secure Cloud Computing Environment: A Survey
inventionjournals
 
PDF
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
Shah Sheikh
 
PPT
Infrastructure Security by Sivamurthy Hiremath
ClubHack
 
PPT
Cloud Computing Security Challenges
Yateesh Yadav
 
PDF
INFORMATION SECURITY IN CLOUD COMPUTING
ijitcs
 
PPTX
Cloud computing Risk management
Padma Jella
 
Risk management for cloud computing hb final
Christophe Monnier
 
Cloud is not an option, but is security?
Jody Keyser
 
Trust based Mechanism for Secure Cloud Computing Environment: A Survey
inventionjournals
 
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
Shah Sheikh
 
Infrastructure Security by Sivamurthy Hiremath
ClubHack
 
Cloud Computing Security Challenges
Yateesh Yadav
 
INFORMATION SECURITY IN CLOUD COMPUTING
ijitcs
 
Cloud computing Risk management
Padma Jella
 

What's hot (20)

PDF
SECURITY ISSUES IN CLOUD COMPUTING
International Journal of Technical Research & Application
 
PDF
Introduction to cloud security
IAEME Publication
 
PDF
A Survey on Cloud Computing Security – Challenges and Trust Issues
IJCSIS Research Publications
 
PDF
Various Security Issues and their Remedies in Cloud Computing
INFOGAIN PUBLICATION
 
PPTX
Cloud Audit and Compliance
Quadrisk
 
PDF
Review on Security Aspects for Cloud Architecture
IJECEIAES
 
PDF
Security of Data in Cloud Environment Using DPaaS
IJMER
 
PPTX
Cloud security - Auditing and Compliance
Josh Tullo
 
PPTX
CLOUD SECURITY IN INSURANCE INDUSTRY WITH RESPECT TO INDIAN MARKET
Amity University | FMS - DU | IMT | Stratford University | KKMI International Institute | AIMA | DTU
 
PDF
Cloud computing - Risks and Mitigation - GTS
Anchises Moraes
 
PDF
Never Compromise Your Mission: 5 Ways to Strengthen Data and Network Security...
Unisys Corporation
 
PDF
Ijirsm poornima-km-a-survey-on-security-circumstances-for-mobile-cloud-computing
IJIR JOURNALS IJIRUSA
 
PPTX
Security in Cloud Computing
Rohit Buddabathina
 
PPTX
Cloud Security By Dr. Anton Ravindran
GSTF
 
PDF
Security Concerns in Cloud Computing
ijtsrd
 
PPTX
4.5.cloud security
DrRajapraveenkN
 
PPTX
Cloud Computing Security
Nithin Raj
 
PDF
IRJET- A Survey on SaaS-Attacks and Digital Forensic
IRJET Journal
 
PDF
IRJET- An Effective Protection on Content based Retrieval in Cloud Storehouse
IRJET Journal
 
PDF
Cloud Computing: Its Applications and Security Issues (A Major Challenge in C...
IRJET Journal
 
SECURITY ISSUES IN CLOUD COMPUTING
International Journal of Technical Research & Application
 
Introduction to cloud security
IAEME Publication
 
A Survey on Cloud Computing Security – Challenges and Trust Issues
IJCSIS Research Publications
 
Various Security Issues and their Remedies in Cloud Computing
INFOGAIN PUBLICATION
 
Cloud Audit and Compliance
Quadrisk
 
Review on Security Aspects for Cloud Architecture
IJECEIAES
 
Security of Data in Cloud Environment Using DPaaS
IJMER
 
Cloud security - Auditing and Compliance
Josh Tullo
 
CLOUD SECURITY IN INSURANCE INDUSTRY WITH RESPECT TO INDIAN MARKET
Amity University | FMS - DU | IMT | Stratford University | KKMI International Institute | AIMA | DTU
 
Cloud computing - Risks and Mitigation - GTS
Anchises Moraes
 
Never Compromise Your Mission: 5 Ways to Strengthen Data and Network Security...
Unisys Corporation
 
Ijirsm poornima-km-a-survey-on-security-circumstances-for-mobile-cloud-computing
IJIR JOURNALS IJIRUSA
 
Security in Cloud Computing
Rohit Buddabathina
 
Cloud Security By Dr. Anton Ravindran
GSTF
 
Security Concerns in Cloud Computing
ijtsrd
 
4.5.cloud security
DrRajapraveenkN
 
Cloud Computing Security
Nithin Raj
 
IRJET- A Survey on SaaS-Attacks and Digital Forensic
IRJET Journal
 
IRJET- An Effective Protection on Content based Retrieval in Cloud Storehouse
IRJET Journal
 
Cloud Computing: Its Applications and Security Issues (A Major Challenge in C...
IRJET Journal
 
Ad

Similar to Cloud computing & IAAS The Dual Edged Sword of New Technology (20)

PDF
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
IJIR JOURNALS IJIRUSA
 
PPTX
talk6securingcloudamarprusty-191030091632.pptx
TrongMinhHoang1
 
PDF
Security Issues in Cloud Computing by rahul abhishek
Er. rahul abhishek
 
PDF
A Review on Data Protection of Cloud Computing Security, Benefits, Risks and ...
United International Journal for Research & Technology
 
DOC
Security Issues in Cloud Computing by rahul abhishek
Er. rahul abhishek
 
PDF
Data Security Model Enhancement In Cloud Environment
IOSR Journals
 
PPT
Cloud Computing - Security Benefits and Risks
William McBorrough
 
PPTX
Cloud Security
AWS User Group Bengaluru
 
PPTX
Cloud Security
AWS User Group Bengaluru
 
PPTX
Cloud computing & security basics
Rahul Gurnani
 
PPTX
Cloud Computing in Business and facts
Arun Ganesh
 
PDF
A Comprehensive Review on Data Security and Threats for Data Management in Cl...
AJASTJournal
 
PDF
A Comprehensive Review on Data Security and Threats for Data Management in Cl...
AJASTJournal
 
PDF
saassecurity-230424030940-08314322.pdf
SahilSingh316535
 
PPTX
SaaS Security.pptx
chelsi33
 
PPT
Cloud models and platforms
Prabhat gangwar
 
PPTX
Security in the cloud Workshop HSTC 2014
Akash Mahajan
 
PPT
Cloud Computing Security Issues in Infrastructure as a Service”
Vivek Maurya
 
PDF
Methodologies for Enhancing Data Integrity and Security in Distributed Cloud ...
IIJSRJournal
 
PDF
Rp059 Icect2012 E694
Sandeep Saxena
 
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
IJIR JOURNALS IJIRUSA
 
talk6securingcloudamarprusty-191030091632.pptx
TrongMinhHoang1
 
Security Issues in Cloud Computing by rahul abhishek
Er. rahul abhishek
 
A Review on Data Protection of Cloud Computing Security, Benefits, Risks and ...
United International Journal for Research & Technology
 
Security Issues in Cloud Computing by rahul abhishek
Er. rahul abhishek
 
Data Security Model Enhancement In Cloud Environment
IOSR Journals
 
Cloud Computing - Security Benefits and Risks
William McBorrough
 
Cloud Security
AWS User Group Bengaluru
 
Cloud Security
AWS User Group Bengaluru
 
Cloud computing & security basics
Rahul Gurnani
 
Cloud Computing in Business and facts
Arun Ganesh
 
A Comprehensive Review on Data Security and Threats for Data Management in Cl...
AJASTJournal
 
A Comprehensive Review on Data Security and Threats for Data Management in Cl...
AJASTJournal
 
saassecurity-230424030940-08314322.pdf
SahilSingh316535
 
SaaS Security.pptx
chelsi33
 
Cloud models and platforms
Prabhat gangwar
 
Security in the cloud Workshop HSTC 2014
Akash Mahajan
 
Cloud Computing Security Issues in Infrastructure as a Service”
Vivek Maurya
 
Methodologies for Enhancing Data Integrity and Security in Distributed Cloud ...
IIJSRJournal
 
Rp059 Icect2012 E694
Sandeep Saxena
 
Ad

More from Mekhi Da ‘Quay Daniels (7)

PDF
Fratangelo's Case Study
Mekhi Da ‘Quay Daniels
 
PDF
Professional Resume
Mekhi Da ‘Quay Daniels
 
PDF
Jamiaca: The Land of Blessed Gold
Mekhi Da ‘Quay Daniels
 
PPTX
Slides for CC & IAAS
Mekhi Da ‘Quay Daniels
 
PDF
Green Speech
Mekhi Da ‘Quay Daniels
 
PPTX
Green Revolution
Mekhi Da ‘Quay Daniels
 
PDF
Internal Threats: The New Sources of Attack
Mekhi Da ‘Quay Daniels
 
Fratangelo's Case Study
Mekhi Da ‘Quay Daniels
 
Professional Resume
Mekhi Da ‘Quay Daniels
 
Jamiaca: The Land of Blessed Gold
Mekhi Da ‘Quay Daniels
 
Slides for CC & IAAS
Mekhi Da ‘Quay Daniels
 
Green Speech
Mekhi Da ‘Quay Daniels
 
Green Revolution
Mekhi Da ‘Quay Daniels
 
Internal Threats: The New Sources of Attack
Mekhi Da ‘Quay Daniels
 

Recently uploaded (20)

PPTX
Dragon_Fruit_Cultivation_in Nepal ppt.pptx
UmeshTimilsina1
 
PDF
kom-180-proposal-for-a-directive-amending-directive-2014-45-eu-and-directive-...
nlusch08
 
PDF
Stem Cell Market Report | Trends, Growth & Forecast 2025-2034
Claight Corporation
 
PDF
pdfcoffee.com-opt-b1plus-sb-answers.pdfvi
thaoonguyenn2311
 
PDF
Traveri Digital Marketing Seminar 2025 by Corey and Jessica Perlman
Corey Perlman, Social Media Speaker and Consultant
 
PPTX
DMT - Profile Brief About Business .pptx
AkhileshKumar724847
 
PDF
A Brief Introduction About Julia Allison
Julia Allison
 
PDF
Roadmap Map-digital Banking feature MB,IB,AB
Alemayehu
 
PDF
Business model innovation report 2022.pdf
pradvapal
 
PDF
Elevate Cleaning Efficiency Using Tallfly Hair Remover Roller Factory Expertise
farsookmon97766765
 
PPTX
New Microsoft PowerPoint Presentation - Copy.pptx
itsmesumedh96
 
DOCX
unit 2 cost accounting- Tender and Quotation & Reconciliation Statement
MANJU N
 
PPTX
Belch_12e_PPT_Ch18_Accessible_university.pptx
Haitham327103
 
PPTX
AI-assistance in Knowledge Collection and Curation supporting Safe and Sustai...
Barry Hardy
 
PDF
Lecture 3 - Risk Management and Compliance.pdf
Quan Risk
 
PDF
Chapter 5_Foreign Exchange Market in .pdf
sophatphoniu
 
PPTX
ICG2025_ICG 6th steering committee 30-8-24.pptx
AtiarRahaman5
 
PPTX
sales presentation، Training Overview.pptx
hamdullahazimi3
 
PPTX
5 Stages of group development guide.pptx
keerthanashanmugam201
 
PDF
WRN_Investor_Presentation_August 2025.pdf
cmagee4
 
Dragon_Fruit_Cultivation_in Nepal ppt.pptx
UmeshTimilsina1
 
kom-180-proposal-for-a-directive-amending-directive-2014-45-eu-and-directive-...
nlusch08
 
Stem Cell Market Report | Trends, Growth & Forecast 2025-2034
Claight Corporation
 
pdfcoffee.com-opt-b1plus-sb-answers.pdfvi
thaoonguyenn2311
 
Traveri Digital Marketing Seminar 2025 by Corey and Jessica Perlman
Corey Perlman, Social Media Speaker and Consultant
 
DMT - Profile Brief About Business .pptx
AkhileshKumar724847
 
A Brief Introduction About Julia Allison
Julia Allison
 
Roadmap Map-digital Banking feature MB,IB,AB
Alemayehu
 
Business model innovation report 2022.pdf
pradvapal
 
Elevate Cleaning Efficiency Using Tallfly Hair Remover Roller Factory Expertise
farsookmon97766765
 
New Microsoft PowerPoint Presentation - Copy.pptx
itsmesumedh96
 
unit 2 cost accounting- Tender and Quotation & Reconciliation Statement
MANJU N
 
Belch_12e_PPT_Ch18_Accessible_university.pptx
Haitham327103
 
AI-assistance in Knowledge Collection and Curation supporting Safe and Sustai...
Barry Hardy
 
Lecture 3 - Risk Management and Compliance.pdf
Quan Risk
 
Chapter 5_Foreign Exchange Market in .pdf
sophatphoniu
 
ICG2025_ICG 6th steering committee 30-8-24.pptx
AtiarRahaman5
 
sales presentation، Training Overview.pptx
hamdullahazimi3
 
5 Stages of group development guide.pptx
keerthanashanmugam201
 
WRN_Investor_Presentation_August 2025.pdf
cmagee4
 

Cloud computing & IAAS The Dual Edged Sword of New Technology

  • 1. 1 | P a g e Cloud Computing: Infrastructure As A Service - The Dual-Edged Sword of New Technology By Mekhi D., Tyler L., William M. Abstract: Cloud Computing has emerged as the premier infrastructure for creating affordable, scalable and reliable IT solutions for companies of all sizes. However, as with all new technologies, Cloud Computing poses many demanding security considerations, and each must be addressed to ensure the confidentiality, integrity, availability, authenticity, and privacy of a developer’s product. This paper will focus on Infrastructure as a service (IaaS), a subset of cloud computing that provides virtualized computing resources over the internet. An IaaS provider is responsible for hosting infrastructure components such as servers, storage space, and networking hardware to alleviate the cost burden from their consumers of having to maintain such facilities on-site. Companies such as Amazon, Google, Microsoft and Digital Ocean have created an industry worth billions of dollars to provide this very service to businesses of all sizes. For example, Lyft, the second biggest ridesharing company in the world, relies on Amazon’s IaaS, complemented by Amazon’s SaaS, to run much of their external consumer network. Lyft has credited much of the success of their product to the demand-based elastic server and resource allocation features provided by Amazon Web Services.[13] This paper will breakdown the security challenges of IaaS usage and implementation into physical infrastructure security considerations, the necessary secure programming principles, and cryptographic techniques for securing data, and make recommendations for best practices when moving to an IaaS solution. Keywords— Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Amazon Web Services (AWS), Virtual Personal Network (VPN), Cryptography, Digital Certificate, Hardware Security Module, PKI, Encryption, I. INTRODUCTION Infrastructure as a Service (IaaS) as a concept came into fruition in the 1990’s alongside the usage of VPNs by telecommunication companies. These companies realized that they were able to switch from physical point-to-point connections to VPN-enabled connections with comparable quality of services, with a lowered cost for both the consumer and the organization. VPNs also gave organizations better control over sever processing usage by allowing them to dynamically allocate network traffic in response to demand. Over time, as the technology matured, businesses extended the boundaries of cloud computing to cover all servers and most network infrastructure functions, and thus IaaS was born[6]. “In terms of business, cloud computing is becoming more and more important” [7]. In the last ten years, with the creation of companies such as Amazon Web Services, the IT industry has become dominated by the usage of IaaS to provide the services traditionally accomplished by hosting costly on-site hardware installations. As Anand states, “the advantages of cloud services for the customers include lowering the costs for managing huge resources, as now the companies need not manage the resources which are managed by the CSPs such as Google, Amazon, Microsoft etc. Moreover, the computer resources may be used on demand basis such as on pay-per-use basis by the customers”[4]. Though IaaS products are cost-effective and low maintenance when provisioned correctly, consumers are realizing that this freedom from a rigid cost structure comes with a loss of security in three ways:  Users will lose their physical control over the data once they outsource their data to cloud servers, and the integrity of data may be violated without user awareness [5].  Cloud server providers may behave unfaithfully toward the data owners [5].  Even if the cloud server is honest, there still exists the possibilities of cloud server failure and management errors or adversary attacks, which can lead to the corruption of stored data [5].
  • 2. 2 | P a g e The next section will address the secure programming principles and techniques necessary, and commonly used, to address the common vulnerabilities found within an organization’s usage and implementation of an IaaS-modeled system. II. SECURING THE PHYSICAL INFRASTRUCTURE A. Availability and Natural Diasasters One of the defining characteristics of an IaaS model is guaranteeing high availably, in that if the services are configured properly, the end users will not have downtime because of hardware or service limitations from the IaaS provider. Part of the allure of using an IaaS provider is that provisioning a facility with the necessary infrastructure to support high availably is extremely costly, given that “to ensure the facilities maintain uptime should they come under attack from natural sources or otherwise, physical security is not only limited to the outside of the building. Data centres need utilities to be resilient and redundant so if one system fails, there is a backup. These include water, power, telephone lines and air filtration systems to ensure security systems, heating, ventilation and air conditioning continue to operate in case of an area-wide power outage” [1]. Natural disasters and terrorist threats are of chief concern when planning the design of data center facilities, and to allay these concerns cloud data centers must be built to withstand hurricanes, earthquakes, terrorist attacks, loss of power and other disasters. Certifications and compliance exist to certify preparedness for these types of threats, such as Uptime Institute Tier III and ISO27001, which both use independent auditors to determine if a facility can withstand extreme weather/threats and still offer high availability, as well as have full redundancy in the physical implementation of the hardware systems. B. Controlling and Monitoring Access Part of data security in an IaaS cloud data center relies on controlling how the facility is accessed. Keeping people out who are not supposed to have access to hardware containing private data is a fundamental component of defending against social engineering and terrorist attacks. There are seven broad categories that are implemented [1]:  Fencing or a physical barrier a minimum of three meters in height.  Trembler wire on top of the fencing with a zoned alarm system for identifying breaches  Surveillance cameras on all entrances, exits and possible access points  Security team with on-site personal 24/7  Strict control of where vehicles can park for building access  Photo authentication and access control with different levels for appropriate areas of the facility.  Biometrics for monitoring the amount of people in a given area of the facility. Physical security is just the starting point for security in the cloud, secure programming techniques also play an equal part in keeping information safe in a cloud computing facility. III. SECURE PROGRAMMING PRINCIPLES AND TECHNIQUES A. Choosing the Right IaaS Provider True security starts from the foundation up, the security of an organization’s program will only be as secure as the infrastructure in which the program will be run/executed. As such, one of the most important and time-consuming parts of the implementation of an IaaS service is choosing the right provider who best meets your business needs, currently and in the future. When organizations are considering the outsourcing of internal technologies through IaaS, they must understand the different features that each IasS provider has to offer, and how each tooling set will interact with the current system the organization has in place. Only then can an informed decision be made to determine which service provider can provide the most applicable categorized gains to all organizational stakeholders. The following is an overview of some of the considerations that must be taken when developing a secure IaaS pipeline:  Type of Cloud Service Required: There are various types of cloud services.. The chart below will provide more detail on the types and how they can be used. The various types are designed to be specific to an organization’s needs.
  • 3. 3 | P a g e Table 1 [14]: Comparison of Cloud Computing Service Models Model Scope Managed By Security Level Public Model General Public and Industries Cloud Service Providers Low Private Model Single Organization Single Organization High Community Mode Organizations having similar policies and same security concerns Many organizations and IaaS providers High Hybrid Model Public and organization Public and organization Medium  Security Redundancy: An IaaS must have multi layers of security, such as Input Data Validation tools. Without these layers of security, an organization not only risk the security of their application, but will not be able to effectively protect the sensitive information that must be transmitted through the third-party IaaS network.  Providers who cater to business size/ Flexible capacity: Many of the industry leaders in IaaS chose to specialize their service to a desired client business size. When considering IaaS providers, one must look at providers that are able to provide a level of service a given business requires and determine if the IaaS provider will be able to grow as the business needs increase. [13]  Integration/ Interoperability: An IaaS provider should be assessed on the ability of the IaaS to smoothly integrate with existing software. When systems are not compatible, it can lead to security flaws due to missing features in the new host system. Fixing this issue requires expensive refactoring of the existing products, but refactoring has its own set of problems and bugs that can crop up even after the products are in production in the new environment.[12]  Usability: Usability is defined as the ease of use and learnability of a platform which is very important for modern-day companies. One must determine if a company’s existing staff will be able to smoothly operate the new network infrastructure with limited business disruption before switching to an IaaS based solution.  Provider’s offering of Cloud Management Tools: In addition to the IaaS product suite, some IaaS providers will provision their consumers with cloud management tools. These tools allow organizations optimize their service and gain insight on their own processes through analytical tooling and services provided by the IaaS providers.[12]  Providers with Disaster Recovery Solutions: Companies will never know when they’re about to be the target of malicious breach, especially when most network traffic may run through the third-party’s IaaS product. Even though cyber-attacks cannot be fully prevented, Disaster Recovery Solutions are a valuable resource in the effort to minimize the business disruption of such an attack.[12] The bullet points above illustrate a process that is unique to every organization and must be adapted around the business needs of a given industry. IaaS providers can also be evaluated on the Security-by-Design principles to gain a firm understanding on what are the necessary foundational security features that must be exhibited in any potential IaaS provider. [13] B. Security-By-Design Security-by-Design is defined as an approach to security that has been molded as a foundational platform for any developer/organization to formalize infrastructure design and automate security controls so that one can build security into every part of an infrastructure. Because of this formalization of principles, there are common rules that can be applied to emerging technologies, in this case adapted for IaaS technology[14]:  Principle of Least Privilege: IaaS Providers and consumers must focus on having solid tooling and procedures for monitoring and controlling access control. The most effective method of accomplishing this goal is to follow the principle of least privilege. The principle requires that only the necessary permissions are granted to users, to prevent privilege creep. The principle also addresses credential sharing, as in order to quickly isolate a security incident you must ensure that
  • 4. 4 | P a g e each member/group has their own credentials on the system.  Layered Security: Security must be a concern addressed throughout the infrastructure on both the provider and consumer side of the service. “…distributed architectures, massive resource sharing and virtual machine (VM) instances synchronization imply more data in transit in the cloud, thus requiring VPN mechanisms for protecting the system against sniffing, spoofing, man-in-the-middle and side-channel attacks” [6]. For example, if utilizing AWS there must be well defined and proper security control in the following areas: o Edge Network o Virtual Private Cloud o Subnet o Load Balancer o Every Instance o Operating system o Application Logic o IAM Each component is necessary for the creation of a secure infrastructure.  Procedures of Incident Response & Management: Even with the best security measures in place, a security developer must understand that failure is always a possibility. The only way to plan for an inevitable moment of failure is to have an established Incident Response Plan in place to effectively respond to a breach. An incident plan must be in place on both sides of the consumer-provider relationship, and these plans should be shared in order to ensure efficiency when responding to a security incident. The rule of thumb is to approach a development project from a pessimistic view, so all the potential flaws can be addressed before they become a vulnerability in the product once in production.  Data Prioritization: At the end of the day, data security is not an option when considering cloud security principles. Data is the main target of attack by malicious actors, and as such should be protected at all cost, within reason. When considering data as applied to cloud technologies, it can be categorized as follows: o Data in Transit: Data in transit is classified as data transmitted between servers within the organizational infrastructure or between the servers and the internet. Some of the common methods of securing the above stated data is the usage of proper transmission protocols such as Transport Layer Security (TLS) or HTTPS. Unfortunately, using secure protocols is often not enough to secure data in transit, as the virtual machines that are used in cloud computing communicate with each other over an internal software backplane that cannot be monitored/controlled with standard network security controls [8]. o Data at Rest: Data at rest is classified as data stored in storage mediums, including block storage, databases, and object storage. The most prevalent security best practice is the usage of encryption to protect this data.[8] Security by Design was created to act as a guideline for the development of any given security system. The principles can be followed to ensure that security is placed at all necessary layers of a given system, in both the physical and virtual components. C. Data Validation (Input/ Output) Data Validation is defined as the process of ensuring data has undergone “cleansing”, which ensures that the data is correctly formatted and relevant to the application. For IaaS providers to ensure that data is correctly protected within the cloud infrastructure, developers need to classify the data accurately and monitor how and when it is accessed. The most important and common data validation process occurs when verifying the username and password of a potential user on a platform. The new wave in technology is interconnectivity, which is the ability to access multiple databases in one application to expediate the process of a task completion for the end user. With the two following aspects combined, the need for proper data validation principles has never been so intense. To properly perform this task, data validation processes/procedures must be maintained on all sides of the data transaction, meaning that as the consumer, one must have correct data validation procedures in place as well. This ensures that if inaccurate data manages to surpass the provider’s data validation processes, it won’t allow the inaccurate data to be inputted for authorization into an organization’s system. When developing data validation procedures, experts like to categorize the processes into input and output related data validation. These two types will be explained in more detail below:
  • 5. 5 | P a g e  Input Validation: is defined as the proper testing of an input supplied by a user or an application. The purpose is to prevent improperly formatted data from entering the input system (IS), which deters malicious actors from attempting to breach the system. Failure to perform this process can lead to injection attacks, memory leakage, and eventually compromised systems. The common techniques used to accomplish input validation include: o Whitelisting: The process of dictating to the IS to only pass along data if it is included in the “whitelist” of expected data. This is the preferred method as it is easier to predict the allowable data input types than it is to predict every possible unallowable data field [5]. o Blacklisting: The process of dictating to the IS to not pass along a data item if it is specified on the “blacklist”. This method is generally less used due to the time-consuming nature and inability to fully predict every unallowable data field input.  Output Encoding: The process of transforming all characters of an untrusted output into an alternative representation for comparison purposes to validate the output before continuing along the data stream process. The purpose of which is to convert the data into a safe format where the input can be displayed as data to the user without the actual execution of code within the browser. Failure to follow output encoding procedures can lead to cross-site scripting vulnerabilities by allowing for the injection of client-side script code. Data Validation is a process that must be included into every application, to act as a preventive measure against a variety of malicious attacks. Preventive measures will eventually fail, so in order to prepare for this inevitability procedures must be in place that can alert the appropriate staff and provide the necessary information for the isolation and remediation of a potential attack. This is where the principles of security monitoring come into play. D. Real-Time Security Monitoring Due to the interconnectivity of modern information systems, the approach to monitoring data has been completely reshaped in the past two decades. Before the age of Big Data, monitoring principles were slow- acting reactive measures that would only alert the user after an attack had occurred with very minimal information being provided, providing the user with limited courses of remediation. Now monitoring principles have been re-tooled as fast reactive measures that issue alerts against an ongoing attack, accompanied with hefty amounts of information that provide the user with multiple methods of remediation in real-time to minimize the business disruption cause by a breach. IaaS provides bundle security services in their subscription services. Typically, these services are automated solutions responsible for the constant supervision of virtual and physical servers to identify any potential security threats. The correct utilization of these procedures will create various benefits for any organization, including the following:  Prevents loss of business due to customer frustration by ensuring that their Personally Identifiable Information (PII) is safe.  Used effectively, IaaS security services can minimize the risk/ease of using the cloud for the transferring and storage of data.  Security features allow businesses to fully utilize the cloud without the improper hindering of the business procedures  Establishment of a network baseline, which can used for comparison purposes to identify any inconsistent activity. Allowing for faster response times to security incidents.  Collection of incident-related data to be stored in case the type of attack wagered was encountered again, and to provide organizations with the necessary evidence to proceed with legal actions, if necessary, in the event of an attack. Monitoring acts as the last line of defense in most systems, and in a world where attackers don’t work on the 9-5 time frame this system must continuous be running to be fully effective. IV. CRYPTOGRAPHY Cryptography has a variety of definitions depending on the person you ask. According to Pathan, “Cryptography is a science that employs mathematical logic to keep information secure and includes techniques such as hiding information in images (steganography), hiding information in storage, or in transit.” [10] We can store sensitive information and transmit information securely over insecure networks to reduce the risk of an attacker altering or viewing that information. There are many different types of algorithms that have been used for cryptographic purposes, going back to the German Enigma machine in WWII to present
  • 6. 6 | P a g e day methods like AES and RSA. These algorithms take plaintext and logically scramble the data via encryption, which then becomes the ciphertext. Cryptographic keys are truly random after the algorithm is performed on the data, which is essential to keeping this information out of the wrong hands. Truly random keys make it nearly impossible for attackers to access data if the algorithm is up to today’s standards, which are decided by Cryptanalysis professionals in concert with research and community consensus. This standard is an evolving benchmark, as computing power continues to increase and become less of a factor in the time it takes for cryptographic keys to be cracked. Cryptography uses ciphers to encrypt and decrypt the data. There are two major ciphers, stream cipher and block cipher. Stream ciphers encrypt the data one bit at a time. Block ciphers chunk the data into 64-bit blocks and encrypt each block separately [10]. There are many functions that cryptography serves for an organization. The main areas of security are confidentiality, integrity, and availability. Cryptography covers confidentiality, integrity, authentication, and non-repudiation [10].  Confidentiality is insuring that only authorized individuals can access confidential information when they need to.  Integrity is the accuracy of information from the time the message is sent to the time it is read. Creating a hash for a message is one way to ensure message integrity. If the hash at the beginning is the same as the hash that the receiver sees, then the message has not been altered.  Authentication is the validation of identities between all parties in communication with each other and ensuring that they are who they say they are.  Nonrepudiation exists so that someone cannot deny actions in communications in effort to make sure that everyone is liable for a message that they send. Cryptography has many sub-departments such as Public Key Infrastructure (PKI), Key Management, Secure Shell Keys (SSH), symmetric cryptography, and asymmetric cryptography. Cryptographic professionals working in an organization would be responsible for making sure web servers have valid certificates, Linux systems have valid SSH Keys, data is encrypted in all three formats (rest, transit, use), digital signatures are attached to messages, encryption keys are rotated based on a validity period, and essentially all confidential data in the organization is safe from unauthorized access. V. DIGITAL CERTIFICATES Digital certificates are used to authenticate a user in electronic transactions [10]. Certificates can be compared to a driver’s license. They can be placed on a web server in order to encrypt the data and function over port 443 (Https). The other resides on the user’s machine. This works as a handshake. The user and server make a mutual hello to establish connection, the server provides the certificate, the server and user exchange cryptographic keys, user sends their certificate, messages are sent/receives over an encrypted channel. The virtualized nature of IaaS solutions leads to most organizations utilizing a Public Key Infrastructure (PKI) setup which requires a dedicated group to manage digital certificates and hardware security modules to store the encryption keys [10]. PKI uses asymmetric cryptography which uses two keys, public and private but both are mathematically generated. The sender encrypts the data with the receiver’s public key so that the message can only be decrypted by the receiver with their private key. This is compared to symmetric cryptography where only one key is used to encrypt and decrypt data by the sender and receiver. Web transactions are encrypted using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) which is more prevalent today as TLS is considered more secure than SSL. Of course, both TLS and SSL have many versions with the intention to improve the current state. The most current and approved standard for TLS in 1.2. TLS 1.3 is released but still requires some tune ups which is why most organizations haven’t adopted the new protocol. Nonrepudiation and digital signatures use digital certificates as their proof of identity. This makes sure that the sender is who they say they are and so that they cannot deny any messages that were sent with their digital signature in the future. VI. HARDWARE SECURITY MODULES (HSM) Hardware Security Modules (HSM) are pieces of equipment that are usually one unit in a server rack that store items such as encryption keys. HSMs require a pin entry device and several members of the cryptography team to log in to the HSM for separation of duties. Not one person should be able to login and perform all the functions as that person would be a superuser. Usually, one person would enter half of the administrator password, someone else would enter the
  • 7. 7 | P a g e other half, one person would perform the functions and configuration required on the HSM, and another person would enter the pin into the device. Each action is supervised by someone else in case of mistakes. There are several types of HSMs depending on the industry. There is equipment for the payment card industry, key management, and federal requirements and highly confidential data. Now, they can be virtualized for easier access and less capital costs for the organization. Basically, the end goal with an HSM is storing sensitive data in a way that no third party can tamper with the data housed on it. An HSM will be virtualized with remote access capabilities or the hardware will be on premise with physical access [11]. They have firewall controls within each device as well as multi-tenancy options [11]. The HSM has several partitions where each is usually assigned to a specific application and their corresponding encryption keys. Each key has a life cycle and needs to be replaced after a certain amount of time that is determined by NIST or any governing body that your organization falls under. Hardware Security Module VII. CRYPTO IN THE CLOUD Cloud security has been one of the more popular topics ever since the beginning of cloud computing. How can an organization utilize cloud computing while remaining secure? We can do this with a Hardware Security Module (HSM). End-to-end communication between the organization and cloud application will go through the HSM for encryption [11]. This way, if the cloud provider suffers a data breach, the organization’s data resides the HSM, which is encrypted separately with the organization having complete control over the security of their data in the cloud. This strategy also ensures that the cloud provider isn’t tampering with the organization’s data. Placing data in the cloud is essentially taking your personal data and letting it sit on someone else’s computer where you can still access it if you need to. At any time, that person can remove your access but still have your data. They could also be accessing your data without your knowledge. As an organization who is responsible for that data, we need to make sure we have the control over security so that security isn’t based on trust. This route should be taken by organizations to make sure their data is secure in the cloud. Cloud computing isn’t going away, but rather becoming more prevalent in the world today. Security professionals need to understand the cryptography aspects and apply them in their organization to optimize data security in the cloud. We need to remember that security depends on the appropriate protection mechanism of the weakest link in the entire security organization [10]. If that weakest link is the cloud, but the rest of the organization has minimal vulnerabilities, they are not secure because all of that data in the cloud can be compromised at any given time. That data may be highly confidential and could possibly cost the organization a significant amount of money or even running the business into the ground. Oil is no longer the world’s most valuable resource, data is. We need to spend the money, time, effort, and invest into professionals and can keep the organization’s data secure and keep the name of the organization out of media headlines. VIII. CONCLUSION IaaS services have significant benefits in comparison to the on-site, departmentally managed IT infrastructure that was the prevailing norm for many years. The level of access, ease of management, and dynamic provision capabilities that IaaS services offer bring the complexity and cost of managing sophisticated hardware and software to a new level of approachability and affordability. Successful utilization of IaaS cloud services requires careful consideration of data security in IaaS products. However, ss long as careful research is done into an IaaS provider’s facility, and the right application of cryptographic protocols and secure programming techniques is used on the client side, a reasonable amount of security can be achieved for most IT solutions. Additionally, the flexibility of IaaS products make it possible to scale services and applications with low security priority in the cloud alongside in-house servers to create hybrid systems that are both secure and cost-effective.
  • 8. 8 | P a g e IX. REFERENCES [1] Watkins, Darren. “Protecting Your Data Infrastructure.” Credit Control, vol. 38, no. 3/4, Mar. 2017,pp.57–59. EBSCOhost. [2] Anand, A. (2017). “Cloud computing and cloud related security issues.” International Journal of Advanced Research in Computer Science, 8(5) Retrieved from https://reddog.rmu.edu/login?url=https://reddog.rmu.edu:3479/ docview/1912631341?accountid=2836 [3] D. Gonzales, J. M. Kaplan, E. Saltzman, Z. Winkelman and D. Woods, "Cloud-Trust—a Security Assessment Model for Infrastructure as a Service (IaaS) Clouds," in IEEE Transactions on Cloud Computing, vol. 5, no. 3, pp. 523-536, 1 July-Sept. 2017. [4] Kratzke, Nane. (2018). “A Brief History of Cloud Application Architectures.” Applied Sciences. no. 8, pp. 1368. EBSCOhost. [5] Xu, Zhiyan, et al. “Security Analysis of a Publicly Verifiable Data Possession Scheme for Remote Storage.” Journal of Supercomputing, vol. 73, no. 11, Nov. 2017, pp. 4923–4930. EBSCOhost. [6] Gonzalez, N., Miers, C., Redígolo, F., Simplício, M., Carvalho, T., Näslund, M., & Pourzandi, M. (2012). “A quantitative analysis of current security concerns and solutions for cloud computing.” Journal of Cloud Computing, 1(1), 1- 18. [7] Müller, A., Ludwig, A., & Franczyk, B. (2017). “Data security in decentralized cloud systems – system comparison, requirements analysis and organizational levels.” Journal of Cloud Computing, 6(1), 1-9. [8] X. Yin, X. Chen, L. Chen, G. Shao, H. Li and S. Tao, "Research of Security as a Service for VMs in IaaS Platform," in IEEE Access, vol. 6, pp. 29158-29172, 2018. [9] Bhadauria, R., Chaki, R., Chaki, N., & Sanyal, S. (2014). “SECURITY ISSUES IN CLOUD COMPUTING.” Acta Technica Corviniensis - Bulletin of Engineering, 7(4), 159- 177. Retrieved from https://reddog.rmu.edu/login?url=https://reddog.rmu.edu:3479/ docview/1618069466?accountid=28365 [10] Al-Sakib Khan Pathan. “Basics of Security and Cryptography”. Vol 1. Pp 1-10, 2017. [11] Ultimaco. “Ultimaco Brings the Power of Hardware Security Module Technology to the Cloud”. Vol 1, pp 1-2, 2015. [12] Bhardwaj S., Jain L., Sandeep J.(2015). “Cloud Computing: A Study Of Infrastructure As A Service (Iaas).” International Journal Of Engineering And Information Technology,2(1), 1- 10. [13] Chong N.(2019). “Cloud Computing Challenges in a General Perspective.” Journal of Computing and Management Studies, 1(3), 1-5. [14] Rashid A., Amit C.(2019) “Cloud Computing Characteristics and Services: A Brief Review.” International Journal of Computer Sciences and Engineering, 7(2),1-6.