THE MAJOR SECURITY CHALLENGES TO CLOUD COMPUTING Master’s (two year) thesis in Informatics (30 credits) Muhammad Inam ul Haq 2013MASI03 Title: The major security challenges to cloud computing. Year: 2013 Author: Muhammad Inam ul Haq Supervisor: Bertil Lind Abstract Cloud computing is the computing model in which the computing resources such as software, hardware and data are delivered as a service through a web browser or light-weight desktop machine over the internet (Wink, 2012). This computing model abolishes the necessity of sustaining the computer resources locally hence cuts-off the cost of valuable resources (Moreno, Montero & Llorente, 2012). A distinctive cloud is affected by different security issues such as Temporary Denial of Service (TDOS) attacks, user identity theft, session hijacking issues and flashing attacks (Danish, 2011). The purpose of this study is to bridge the research gap between the cloud security measures and the existing security threats. An investigation into the existing cloud service models, security standards, currently adopted security measures and their degree of flawless protection has been done. The theoretical study helped in revealing the security issues and their solutions whereas the empirical study facilitated in acknowledging the concerns of users and security analysts in regards to those solution strategies. The empirical methods used in this research were interviews and questionnaires to validate the theoretical findings and to grasp the innovativeness of practitioners dealing with cloud security. With the help of theoretical and empirical research, the two-factor mechanism is proposed that can rule out the possibility of flashing attacks from remote location and can help in making the cloud components safer. The problem of junk traffic can be solved by configuring the routers to block junk data packets and extraneous queries at the cloud outer-border. This security measure is highly beneficial to cloud security because it offers a security mechanism at the outer boundary of a cloud. It was evaluated that a DOS attack can become a huge dilemma if it affects the routers and the effective isolation of router-to-router traffic will certainly diminish the threat of a DOS attack to routers. It is revealed that the data packets i that require a session state on the cloud server should be treated separately and with extra security measures because the conventional security measures cannot perform an in-depth analysis of every data packet. This problem can be solved by setting an extra bit in the IP header of those packets that require a state and have a session. Although this change should be done at universal level and would take time; it can provide a protocol-independent way to identify packets which require extra care. It will also assist firewalls to drop bits which are requesting a session sate without a state-bit being set. The cloud security analysts should consider that the interface and authentication layer should not be merged into a single layer because it endangers the authentication system as the interface is already exposed to the world. The use of login-aiding devices along with secret keys can help in protecting the cloud users. Moreover, a new cloud service model “Dedicated cloud” is proposed in this research work to reinforce the cloud security. It was discovered that the optimal blend of HTTPS and SSL protocols can resolve the problem of session hijacks. The client interface area should be protected by HTTPS protocols and the secure cookies should be sent through a SSL link along with regular cookies. Disallowing the multiple sessions and the use of trusted IP address lists will help even further. A reasonable amount of care has been paid to ensure clarity, validity and trustworthiness in the research work to present a verifiable scientific knowledge in a more reader-friendly manner. These security guidelines will enhance the cloud security and make a cloud more responsive to security threats. Keywords: Information security, packet filtering, cloud interface, digital signatures, firewalls, ICMP ping attack, data integrity. ii Acknowledgements The research process is by no mean an isolated activity and I am grateful to all those who helped me in completing my research work. First and foremost, I would like to thank my tutor, Bertil Lind for his invaluable comments and suggestions. Without the knowledge I have gained from him, I would have never been able to conduct research in such a scientific manner. The ideas, motivation and encouragement he shared with me will assist me throughout my lifetime. I am much obliged to my friend, Sophie Clark for extensive proof-reading of my thesis draft and guiding me in regards to my grammatical errors. She deserves my deepest gratitude for being so kind and helpful. I would like to thank all the interview and questionnaire participants who kindly shared their views, ideas and knowledge with me. Without their support, I would have never been able to achieve the outcome I did with this research work. I would also like to thank my family especially my parents for their ceaseless support in encouraging and motivating me throughout. It is whole heartedly their support that assisted me in finishing this research work. Muhammad Inam ul Haq Borås June 2013 iii Table of Contents 1 INTRODUCTION ............................................................................................................ 2 1.1 BACKGROUND ......................................................................................................... 2 1.2 STATEMENT OF PROBLEM ................................................................................... 3 1.3 PURPOSE OF STUDY ............................................................................................... 3 1.4 RESEARCH QUESTIONS ......................................................................................... 4 1.5 TARGET GROUP ....................................................................................................... 5 1.6 EXPECTED OUTCOME ............................................................................................ 5 1.7 DELIMITATIONS ...................................................................................................... 5 1.8 THE AUTHOR´S EXPERIENCE ............................................................................... 5 1.9 STRUCTURE OF THE THESIS ................................................................................ 6 2 RESEARCH DESIGN ..................................................................................................... 8 2.1 RESEARCH PERSPECTIVE ..................................................................................... 8 2.2 RESEARCH STRATEGY ........................................................................................ 10 2.3 DATA COLLECTION METHODS .......................................................................... 14 2.4 DATA ANALYSIS METHODS ............................................................................... 16 2.5 STRATEGIES FOR VALIDATING FINDINGS ..................................................... 17 2.6 RESULTS PRESENTATION METHODS ............................................................... 18 3 THEORETICAL STUDY .............................................................................................. 20 3.1 KEY CONCEPTS ...................................................................................................... 20 3.1.1 Cloud computing ................................................................................................ 20 3.1.2 Public cloud ........................................................................................................ 20 3.1.3 Private cloud ....................................................................................................... 20 3.1.4 Hybrid cloud ....................................................................................................... 20 3.1.5 Virtualization of a cloud ..................................................................................... 21 3.1.6 Data integrity ...................................................................................................... 21 3.1.7 Application development platform ..................................................................... 21 3.1.8 Cloud APIs ......................................................................................................... 21 3.2 SUBJECT AREAS RELEVANT FOR THE RESEARCH ....................................... 21 3.2.1 Information security ........................................................................................... 21 iv 3.2.2 Anonymous use of internet ................................................................................ 22 3.2.3 Deployment models of cloud ............................................................................. 22 3.2.4 Cloud service model ........................................................................................... 23 3.2.5 Architecture of a cloud ....................................................................................... 24 3.2.6 Grid Computing .................................................................................................. 24 3.3 PREVIOUS RESEARCH .......................................................................................... 25 3.3.1 Permanent Denial of Service (PDOS) attacks .................................................... 25 3.3.2 Temporary Denial of Service (DOS) attacks