Survey on Privacy and Data Security Issues in Cloud Computing

More documents

Recommendations

Info

<strong>Survey</strong> on Privacy and Data Security Issues in Cloud Computingattackers gain unauthorized access to a database andbecome able to access sensitive information. At times, thehacker’s input data is misunderstood by the web-site as theuser data and allows it to be accessed by the SQL server andthis lets the attacker to have know-how of the functioning ofthe website and make changes into that. Techniques likeavoiding the usage of dynamically generated SQL in thecode, using filtering techniques to clean the user input etc.has to be used to check the SQL injection attacks.Cross Site Scripting (XSS) attacks: which injectmalicious scripts into web contents has become quitepopular since the inception of Web 2.0. A website can beclassified as static or dynamic. Static websites do not sufferfrom the security threats which the dynamic websites dobecause of their dynamism in providing multi-fold servicesto the users. Consequently, these dynamic websites getvictimized by XSS attacks. Quite often it’s observed thatwhile working on net or surfing, some pop ups or webpagesget opened up with the request of being clicked awayto view the content contained in them. Often eitherunintentionally about the possible hazards or out ofcuriosity users clicks on these hazardous links and thus theintruding third party gets control over the user’s privateinformation or hack their accounts after having known theinformation available to them. Various techniques like:Content Based Data Leakage Prevention Technology,Active Content Filtering, Web Application VulnerabilityDetection Technology have already been proposed. Thesetechnologies adopt various methodologies to detect securityflaw and try to fix them.Man in the Middle attacks: Here an intruder tries tointrude in an ongoing conversation between a sender and aclient to inject false information and to have knowledge ofthe important data transferred between them. Many toolsimplementing strong encryption technologies like: Cain,Dsniff, Wsniff, Ettercap, Airjack etc. have been developedin order to provide safeguard against them. Hence, securityat different levels is necessary in order to ensure properimplementation of cloud computing such as: internet accesssecurity, server access security, data privacy accesssecurity, database security and program access security.Additionally, we need to ensure data security at networklayer, and data security at application and physical layer tomaintain a secure cloud.B. Network Level SecurityNetworks are classified into many types like: public orprivate, shared and non-shared, small area or large areanetworks and each of them have a number of securitythreats to deal with. To guarantee network securityfollowing points such as: proper access control,confidentiality and integrity in the network, and maintainingsecurity against the external third party threats should beconsidered while providing network level security.[5]Problems related with the network level security includes:DNS attacks, Sniffer attacks, issue of reused IP address,Denial of Service (DoS) and Distributed Denial of Serviceattacks (DDoS) etc.DNS Attacks: A Domain Name Server (DNS) serverperforms the translation of a domain name to an IP addresssince the domain names are much easy to remember.Therefore, the DNS servers are needed. There are caseswhere the user has been routed to some other evil cloudinstead of the one he asked for by having called the serverby name and so using IP address is not always feasible.Using DNS security measures like: Domain Name SystemSecurity Extensions (DNSSEC) reduces the effects of DNSthreats but still there are cases when these security measuresprove to be inadequate when the path between a sender anda receiver gets rerouted through some evil connection. Itmay happen that the route selected between the sender andreceiver cause security problems even after all the DNSsecurity measures are taken.Sniffer Attacks: These types of attacks are launched byapplications that can capture packets flowing in a network.The data that is being transferred through these packets canbe read if the data is not encrypted and there are chancesthat sensitive information flowing across the network can becaptured and traced. Through the NIC (Network InterfaceCard), a sniffer program ensures that the data/traffic linkedto other systems on the network gets recorded.[11] This canbe achieved by placing the NIC in promiscuous mode andin this mode it can track all data flow on the same network.A malevolent sniffing detection platform can be used todetect a sniffing system running on a network based onRTT (round trip time) and ARP (address resolutionprotocol).Issue of reused IP Addresses: IP-address is basically afinite quantity. Each node of a network is provided an IPaddress. A large number of cases have been observedrelated to re-used IP-address. When a particular user movesout of a network then the IP-address associated with him isassigned to a new user. This risks the security of the newuser as there is certain time lag between the change of an IPaddress in DNS and the clearing of that address in DNScaches. And thus, we can sometimes say that though the oldIP address is being assigned to a new user, the chances ofaccessing the data by some other user is not negligible asthe address still exists in the DNS cache and the databelonging to a particular user may become accessible tosome other user violating the privacy of the original user.BGP Prefix Hijacking: Prefix hijacking is a type ofnetwork attack in which a wrong announcement related tothe IP addresses associated with an Autonomous system(AS) is made and hence malicious parties get access to theuntraceable IP addresses. In the internet, IP space isassociated in blocks and will remain under the control ofAS’s. The information of an IP contained in its regime to allits neighbors can be broadcast by an autonomous system.These AS communicate through the Border GatewayProtocol (BGP) model. At times, because of few errors, afaulty AS may broadcast wrongly about the IPs related withit. In such case, the actual traffic gets routed to some IP otherthan the intended one. Consequently, data is leaked orreaches to some other destination that it actually should not.C. Application Level SecurityApplication level security refers to the usage of hardwareand software resources to provide security to applicationssuch that the attackers are not able to get control over theseapplications and make desirable changes to their format. Inthe current day, attacks are launched, being masked as atrusted user and the system considers them as a trusted userallows full access to the attacking party and gets victimized.The reason behind this is that the obsolete network levelsecurity policies allow only the authorized users to accessthe specific IP address. With the technological progression,these security policies have become outdated as there havebeen instances when the system’s security has beenbreached by accessing the system in the disguise of a132
International Journal of Engineering and Advanced Technology (IJEAT)ISSN: 2249 – 8958, Volume-2, Issue-5, June 2013trusted user. It’s quite possible to imitate a trusted user andcorrupt entire data without even being noticed. Thus, it isnecessary to install higher level of security checks tominimize these risks.Denial of Service Attacks: DoS attempts to make theservices assigned to the authorized users not able to be usedby them. In such an attack, the service becomes unavailableto the authorized user because the server providing theservice is flooded by a large number of requests leading tothe denial of service. Sometimes, we are unable to accessthe site and observe an error due to overloading of theserver with the requests to access the site. This happenswhen the server exceeds its capacity to handle the numberof requests[11]. The occurrence of a DoS attack increasesbandwidth consumption in addition causing congestion andmaking certain parts of the clouds inaccessible to the users.Using an Intrusion Detection System (IDS) is the mostpopular method of defense against this type of attacks.Cookie Positioning: It involves modifying or changing thecontents of cookie to make unauthorized access to awebpage or to an application. Cookies mostly contain theuser’s identity related credentials. Once these cookies areavailable, the content of these cookies can be forged toimitate an authorized user. This can be avoided either byimplementing an encryption scheme for the cookie data orby performing regular cookie cleanup.Hidden field manipulation: While accessing a web-page,there are some fields that are hidden and contain the pagerelated information which are basically used by developers.These fields are highly prone to a hacker attack as they canbe changed easily and posted on the web-page. This resultsin severe security violations.Google Hacking: Google is the best option for findingdetails regarding anything on the net. Google hackingmeans using Google search engine to trace sensitiveinformation that a hacker can use to his benefit whilehacking a user’s account. Usually, hackers try to hit uponthe security loopholes by probing out on Google about thesystem they wish to hack and then after having collected theessential information, the hacker carry out the hacking ofthe concerned system. Sometimes, a hacker is not sure ofthe target. As an alternative, he tries to Google out thetarget based on the loophole he wishes to hack a systemupon. The hacker then searches for all the possible systemswith such a loophole and finds out those having theloopholes he wishes to hack upon. These had been some ofthe security threats that can be launched at the applicationlevel and cause a system downtime disabling the applicationaccess even to the authorized users.[7]V. ENSURING SECURE CLOUD STORAGEIn order to secure the cloud against the various securitythreats and attacks like: SQL injection, Cross Site Scripting(XSS) attacks, DoS attacks, Google Hacking and ForcedHacking, the cloud service providers take up differenttechniques. Some standard techniques so as to detect theabove mentioned attacks are as: avoid the usage ofdynamically generated SQL in the code, validating all userentered parameters, finding the meta-structures used in thecode, removal and disallowing unwanted data andcharacters, etc. For an optimized cost performance ratio, ageneral security framework needs to be worked out. Themain criterion to be fulfilled by the generic securityframework is to interface with any type of cloudenvironment, and to be able to detect and handlecustomized as well as predefined security policies.[3]Security SchemeData Storagesecurity[12]User identitysafety in cloudcomputingTrust model forinteroperabilityand security incross cloud [2]Virtualizeddefence andreputation basedtrustmanagementSuggestedApproachUseshomomorphictoken withdistributedverification oferasure-codeddata towardsensuring datastoragesecurity andlocating theserver beingattacked.Uses activebundlesscheme,wherebypredicates arecompared overencrypted dataand multipartycomputing.1. Separatedomains forproviders andusers, eachwith a specialtrust agent.2. Differenttrust strategiesfor serviceproviders andcustomers.3. Time andtransactionfactors aretaken intoaccount fortrustassignment.1. Uses ahierarchy ofDHT-basedoverlaynetworks, withspecific tasksto beperformed byeach layer.2. Lowestlayer dealswith reputationaggregationand probingcolluders. Thehighest layerdeals withvariousattacks.Strengths1. Supportsdynamicoperations ondata blockssuch as:update, deleteand appendwithout datacorruption andloss.2. Efficientagainst datamodificationand servercolludingattacks as wellas againstbyzantinefailures.Does not needtrusted thirdparty (TTP)for theverification orapproval ofuser identity.Thus theuser’s identityis notdisclosed. TheTTP remainsfree and couldbe used forother purposessuch asdecryption.1. Helps thecustomers toavoidmalicioussuppliers.2. Helps theproviders toavoidcooperating/servingmalicioususers.Extensive useofvirtualizationfor securingcloudsLimitationsThe security incase ofdynamic datastorage hasbeenconsidered.However, theissues with finegrained dataerror locationremain to beaddressed.Active bundlemay not beexecuted at allat the host ofthe requestedservice. Itwould leavethe systemvulnerable. Theidentityremains asecret and theuser is notgrantedpermission tohis requests.Security in avery large scalecross cloudenvironment.This scheme isable to handleonly a limitednumber ofsecurity threatsin a fairly smallenvironment.The proposedmodel is in itsearlydevelopmentalstage and needsfurthersimulations toverify theperformance.133
Page 3: International Journal of Engineerin

Survey on Privacy and Data Security Issues in Cloud Computing

Create successful ePaper yourself

Delete template?

Save as template?