International Journal of Computer Science & Information Technology (IJCSIT) Vol 5, No 3, June 2013 SECURITY THREATS ON CLOUD COMPUTING VULNERABILITIES Te-Shun Chou Department of Technology Systems, East Carolina University, Greenville, NC, U.S.A. ABSTRACT Clouds provide a powerful computing platform that enables individuals and organizations to perform variety levels of tasks such as: use of online storage space, adoption of business applications, development of customized computer software, and creation of a “realistic” network environment. In previous years, the number of people using cloud services has dramatically increased and lots of data has been stored in cloud computing environments. In the meantime, data breaches to cloud services are also increasing every year due to hackers who are always trying to exploit the security vulnerabilities of the architecture of cloud. In this paper, three cloud service models were compared; cloud security risks and threats were investigated based on the nature of the cloud service models. Real world cloud attacks were included to demonstrate the techniques that hackers used against cloud computing systems. In addition, countermeasures to cloud security breaches are presented. KEYWORDS Cloud computing, cloud security threats and countermeasures, cloud service models 1. INTRODUCTION Cloud computing has been involved in everyone's life. It delivers applications and storage spaces as services over the Internet for little to no cost. Most of us utilize cloud computing services on a daily basis. For example, we use web-based email systems (e.g. Yahoo and Google) to exchange messages with others; social networking sites (e.g. Facebook, LinkedIn, MySpace, and Twitter) to share information and stay in contact with friends; on-demand subscription services (e.g. Netflix and Hulu) to watch TV shows and movies; cloud storages (e.g. Humyo, ZumoDrive, and Dropbox) to store music, videos, photos and documents online; collaboration tools (e.g. Google docs) to work with people on the same document in real time; and online backup tools (e.g. JungleDisk, Carbonite, and Mozy) to automatically back up our data to cloud servers. Cloud computing has also been involved in businesses; companies rent services from cloud computing service providers to reduce operational costs and improve cash flow. For example, the social news website, reddit, rents Amazon Elastic Compute Cloud (EC2) for their digital bulletin board service. The digital photo sharing website, SmugMug, rents Amazon S3 (Simple Storage Service) for their photo hosting service. The automaker, Mazda USA, rents Rackspace for their marketing advertisements. The software company, HRLocker, rents Windows Azure for their human resources software service. There is no doubt that the convenience and low cost of cloud computing services have changed our daily lives; however, the security issues associated with cloud computing make us vulnerable to cybercrimes that happen every day. Hackers employ a variety of techniques to gain access to clouds without legal authorization or disrupt services on clouds in order to achieve specific objectives. Hackers could trick a cloud into treating their illegal activity as a valid instance, therefore, gaining unauthorized access to the information stored in the cloud. DOI : 10.5121/ijcsit.2013.5306 79 International Journal of Computer Science & Information Technology (IJCSIT) Vol 5, No 3, June 2013 Once the exact location of data is located, hackers steal private and sensitive information for criminal activities. According to DataLossDB, there were 1,047 data breach incidents during the first nine months of 2012, compared to 1,041 incidents during the entire year of 2011[1]. Epsilon and Stratfor were two data breach victims. In the data leakage accident, Epsilon leaked millions of names and email addresses from the customer databases. Stratfor’s 75,000 credit card numbers and 860,000 user names and passwords were stolen [2]. Hackers could also take advantage of the massive computing power of clouds to fire attacks to users who are in the same or different networks. For instance, hackers rented a server through Amazon’s EC2 service and carried out an attack to Sony's PlayStation Network [3]. Therefore, a good understanding of cloud security threats is necessary in order to provide more secure services to cloud users. In this paper, section 2 presented an overview of cloud service models. Section 3 investigated the cloud security risks and threats from three various perspectives. Related real world cloud exploits were included. Section 4 introduced countermeasures to cloud security breaches. Finally, the conclusions and future work were presented in the last section. 2. CLOUD SERVICE MODELS Cloud computing involves delivering computing resources (e.g. servers, storages, and applications) as services to end users by cloud computing service providers. End users access on-demand cloud services through web browsers. Cloud computing service providers offer specific cloud services and ensure the quality of the services. Basically, cloud computing includes three layers: the system layer, the platform layer, and the application layer. The bottom layer is the system layer, which includes computational resources such as infrastructure of servers, network devices, memory, and storage. It is known as Infrastructure- as-a-service (IaaS). The computational resources are made available for users as on-demand services. With the use of virtualization technology, IaaS provides virtual machines that allow clients to build complex network infrastructures. This approach not only reduces the cost in buying physical equipment for businesses, it also eases the load of network administration because IT professionals are not required to continuously monitor the health of physical networks. An example of a cloud computing service provider of IaaS is Amazon’s EC2. It provides a virtual computing environment with web service interfaces; by using the interfaces, users can deploy Linux, Solaris or Windows based virtual machines and run their own custom applications. The middle layer is the platform layer and is known as Platform-as-a-Service (PaaS). It is designed to provide a development platform for users to design their specific applications. Services provided by this cloud model include tools and libraries for application development, allowing users to have control over the application deployment and configuration settings. With PaaS, developers are not required to buy software development tools, therefore reducing the cost. GoogleApps is an example of PaaS; it is a suite of Google tools that includes Gmail, Google Groups, Google Calendar, Google Docs, Google Talk, and Google Sites. It allows users to customize these tools on their own domain names. Windows Azure is another PaaS provider. It enables users to build applications using various languages, tools or frameworks. Users can then integrate the applications into their existing IT environments. Finally, the top layer is the application layer, also known as Software-as-a-Service (SaaS). This layer allows users to rent applications running on clouds instead of paying to purchase these applications. Because of its ability to reduce costs, SaaS is popular among companies that deploy their businesses. Groupon is an example that uses SaaS. With the use of the online support solutions provided by Groupon, Zendesk processes its thousands of daily customer tickets more efficiently, thus providing a better customer service. Marathon Data Systems is 80 International Journal of Computer Science & Information Technology (IJCSIT) Vol 5, No 3, June 2013 another example that offers SaaS. It provides solutions for field services such as pest control, lawn and landscaping, heating, air conditioning, plumbing, janitorial, maid, and carpet cleaning services. Table 1 shows examples of cloud computing service providers specialized on three cloud service models. Table 1. Cloud Computing Service Providers on Cloud Service Models Cloud Service Models Cloud Service Providers Antenna Software, Cloud9 Analytics, CVM Solutions, Exoprise Systems, Gageln, Host Analytics, Knowledge Tree, SaaS LiveOps, Reval, Taleo, NetSuite, Google Apps, Microsoft 365, Salesforce.com, Rackspace, IBM, and Joyent Amazon AWS, Google Apps, Microsoft Azure, SAP, PaaS SalesForce, Intuit, Netsuite, IBM, WorkXpress, and Joyent Amazon Elastic Compute Cloud, Rackspace, Bluelock, CSC, IaaS GoGrid, IBM, OpenStack, Rackspace, Savvis, VMware, Terremark, Citrix, Joyent, and BluePoint 3. TAXONOMY OF CLOUD SECURITY THREATS Three cloud service models (SaaS, PaaS and IaaS) not only provide different types of services to end users but also disclose information security issues and risks of cloud computing systems. First, the hackers might abuse the forceful computing capability provided by clouds by conducting illegal activities. IaaS is located in the bottom layer, which directly provides the most powerful functionality of an entire cloud. It maximizes extensibility for users to customize a “realistic” environment that includes virtual machines running with different operating systems. Hackers could rent the virtual machines, analyze their configurations, find their vulnerabilities, and attack other customers’ virtual machines within the same cloud. IaaS also enables hackers to perform attacks, e.g. brute-forcing cracking, that need high computing power. Since IaaS supports multiple virtual machines, it provides an ideal platform for hackers to launch attacks