Security Architecture for Cloud Computing

Security Architecture for Cloud Computing

Robin Singh Bhadoria (Indian Institute of Technology Indore, India)
DOI: 10.4018/978-1-4666-6559-0.ch003
OnDemand PDF Download:
No Current Special Offers


Clouds need to address three security issues: confidentiality, integrity, and availability. Security architecture for cloud computing is designed based on the functional architecture. The approach is to enhance the components of a functional architecture with additional components providing various security services. This is an extension of SaaS concept to have several security components that are common to all application and services. Various cloud security issues are discussed in this chapter.
Chapter Preview


The of data can be problematic because of a number of ways it can be achieved since Cloud computing relies on security supported by any Cloud service Provider. As Cloud computing is constantly evolving, new threats are surfacing. An enterprise-wide understanding of the responsibilities, threats and risks should be created to take adequate security measures, establish security organization and instil the security culture. The cloud service provider’s (CSP) interface provides access to the logical endpoints, including the security manager, service manager and the service catalog. These endpoints provide various services to interact with service entities such as VMs, volumes, networks, and composite applications, get audit reports and perform a host of other activities required to fulfil and maintain a cloud service requirement.

The two categories of actors interacting with the CSP interface are:

  • Users;

  • Application programs such as management, automatic provisioning, billing, or audit applications.

The user might also interact through a portal interface using a web browser. The portal interface will be developed using the cloud service provider interfaces. Both actors would be authenticated at the CSP interface by the security manager or present an identity token to the security manager. The following table summarizes the common authentication mechanisms used:

Table 1.
Authentication techniques
Traditional authentication“User name” and “Password”
Application programCertificates or Kerberos tickets
Stronger mechanisms“Identity Federation” and “assertion provisioning”
Cloud userAuthentication tokens

However, it is deemed insecure to embed user names and passwords in application programs. In this case tokenized identity can be profitably used to provide a higher standard of security.

In case of cloud user appropriate mechanisms may vary in different environments. Trust relationships may be employed to strengthen the authentication and authorization mechanisms. There should be clear business leadership for infrastructure and technology services to set priorities, approve plans, agree investments and monitor progress, as well as to lead the introduction and awareness of new IT infrastructure technology with a specific emphasis on information or data security into cloud services (The ISO 17799 Information Security Portal, 2014).

The Alliance of Cloud Security, a group of industry which promotes the cloud computing security best practices and standards, identified total seven areas of security risk. Five of them directly focus on protecting data and platform i.e.

  • 1.

    Unauthorized and nefarious use of cloud services;

  • 2.

    Multitenancy and shared technology issues;

  • 3.

    Data loss;

  • 4.

    Account hijacks;

  • 5.

    Unknown risk.

Key Terms in this Chapter

Data Centre Security: Deals with security of data at several data centres in different locations. It include the protection of servers, stoage, information and provide networking solution in data centres.It supports for real-time, reliable protection for business-critical databases and needed no architecture changes, costly hardware, and database downtime.

Data Backup: It is refers to backing up data to some remote location servers (may be on cloud-based server). Into cloud backup, the data is placed to and accessible from several distributed and connected location that covers a cloud. Data backup into cloud enable cloud consumers to access the data and services remotely and to back up files and data from the cloud consumer’s system or data center to the online storage server.

DNS Cache Poisoning: Adding Malicious code into DNS Cache and is inserted by an attacker. The corruption of entries into domain name system (DNS) server’s table by replacing the malicious code from attacker with rogue address. When a Web client request for a particular page with that address, the client is redirected to that rogue entry in the table to a entirely different address.

Virtualization Security: Virtualization security defend virtual servers and desktops not in favor of malware, but to minimize the operational collision from resource inefficiencies.It help in detecting and removing malware from virtual servers with real time and it blocks malware which try to escape being detecting by uninstalling or otherwise disrupting security program.

Phishing Attack: It is a kind of Internet based fraud that trying to acquire a client’s credentials. It includes stealing of passwords, bank account details, credit card numbers and other secret information related to client. Phishing attacks are more popular in its exploitation of social engineering techniques. These are the exactly information, which a phishers actually wants.

Security Threat: Security threats restricts performance of cloud computing for its better working. There have been many issues in security threats like Auditability, Service-Level Agrement (Contractual obligations), authenticity, reliability.

IP Based Attack: Generally, IP based attacked is refered as IP Spoofing, in which attacker drafted packets with spoofed source IP address, then oppressed the privilege of authorized user that employ authentication based on IP address. A spoofing attack is occur when unauthorized party impersonates another device or user on a network in order to launch attacks against network hosts, steal data, spread malware, or bypass access controls.

Complete Chapter List

Search this Book: