CHAPTER 2 CLOUD DEPLOYMENT AND SERVICE DELIVERY MODELS

CHAPTER 2 CLOUD DEPLOYMENT AND SERVICE DELIVERY MODELS CLOUD SERVICE MODELS The Cloud Service Models can be categorized into three main categories: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS) [36][3]. Apart from this another cloud service is Storage as a Service (StaaS) which allows user to store their data and access these anytime via internet. Example: Amazon S3, Nirvanix etc. Any cloud service provider can provide any one of the services or all three services together. There are many more service models evolving around the cloud world, however, in this thesis we will also look in to the advantages of having Risk Assessment as a Service and Encryption as a Service (EaaS) as an additional security methodology. Table 2.1 Cloud Service Models Cloud Service Models SaaS Software as a Service PaaS Platform as a Service IaaS Infrastructure as a Service Definition Applications that are deployed over a network, typically the web, accessible via browser or program interface; sometimes referred to as software on demand A platform on which users can build applications using languages, libraries, services and tools supported by the provider Processing and storage capacity, networking and other computing resources where the user has control over operating systems and deployed applications; sometimes referred to as utility computing Examples Facebook, Google Apps (email, calendar, documents), Salesforce.com, Twitter, ZenDesk, Zoho Office Force.com, Google App Engine, Red Hat OpenShift, Windows Azure Amazon Web Services (EC2, S3, DynamoDB, others), GoGrid, ServePath, FlexiScale, Rackspace Mosso

PLATFORM-AS-A-SERVICE (PaaS) PaaS type of cloud computing offers a full or partial product development tools or environment that users can access and utilize online, even in collaboration with others and hosted on the provider's infrastructure. In PaaS developers create applications on the service provider's platform over the Internet or web. PaaS service providers may use Application Program Interfaces (APIs), gateway software or website portals installed on the customer's premises. GoogleApps and Force.com (an outgrowth of Salesforce.com) are good examples of PaaS. At present in cloud computing there is no standards for interoperability or data portability for developers [36]. SOFTWARE-AS-A-SERVICE (SaaS) SaaS type of cloud computing model offers users the hardware infrastructure, the software product and interrelates with the users through a front-end gateway or portal. Here a provider authorizes an application to clients either as a service on demand in a "pay-as-yougo" model or at no charge by a subscription. These applications can be accessed from various thin client interfaces such as web browsers. A user for this service need not maintain, manage or control the underlying cloud infrastructure (i.e. network, operating systems, storage etc.) [2]. Examples for SaaS cloud's are Salesforce, NetSuite [36]. INFRASTRUCTURE-AS-A-SERVICE (IaaS) The IaaS type of cloud computing distributes a full computer infrastructure via the web or Internet. Most popular IaaS providers like Amazon Web Services offer virtual server instances with unique IP addresses and block of storage on demand. In IaaS customers usually use the service providers (SP) application program interface (API) to start, stop, access, modify and configure their virtual servers and storage as is needed. Examples for IaaS cloud's are Eucalyptus (The Eucalyptus Opensource Cloud-computing System), Amazon EC2, Rackspace, Nimbus [2] [36].

PRIVACY AND ANONYMIZATION AS A SERVICE (PAaaS) This service is proposed as a demonstration model to provide data privacy and protection in a particular organization. It also proposes a work-flow oriented approach to manage data in cloud [37][38]. HARDWARE AS A SERVICE (HAAS) The idea of buying a hardware or an entire datacenter with a pay-as-you-use scheme which can scale up and down as per user requirements can be termed as Hardware as a Service (HaaS) [39]. Examples for HaaS cloud's are Amazon EC2, IBM's Blue Cloud Project, Nimbus, Eucalyptus, Enomalism [38]. IDENTITY AS A SERVICE (IDaaS) This service is targeted for third party service providers who provide Identity and access control functions (including users life cycle and sign-on process). This can be used in combination with various other services (software, platform or infrastructure services) and also for public and private clouds [42]. DATA STORAGE AS A SERVICE (DaaS) This service allows user to pay for the amount of data storage he/she is using. With this service there is a separate cloud formed which provides storage as a service [45]. Examples of such kinds of users are Amazon S3, Google Bigtable, Apache Hbase, etc [38]. SECURITY AS A SERVICE (SaaS) This service allows users to create their own security policies and risk frameworks. In this kind of service cloud users must identify, assess, measure and prioritize system risks [9]. ANYTHING AS A SERVICE (XaaS) This is more general form of representing deployment of a service. These services could be of any type and `X' in XaaS can be substituted by software, hardware, infrastructure, data, business, IT, Security, monitoring, etc. These days new service models are being developed [39][3]. Examples are: IT as a service [18], Cloud as a Service (CaaS) [3], Management as a Service (MaaS) [3], Models like Backup as a Service (BaaS), Computing as a Service (CaaS), Authentication as a Service (AaaS), Desktop as a Service (DaaS), Hardware

Solutions as a Service (HSaaS) and Disaster Recovery as a Service (DRaaS), etc., provided by Various Hosing providers in the IT Market. Some of the most important services are lined up in the figure 2.1. Figure 2.1 Cloud Computing Separation of Responsibilities (http://blogs.technet.com/b/yungchou/archive/2010/12/17/cloud-computing-conceptsfor-it- pros-2-3.aspx) In a traditional on-premise IT Environment, the customer manages everything, starting with network and finishing with apps. When customers use some IaaS cloud service (think Amazon EC2) vendor does all hardware management for the customer. But customer will still be responsible for all software layers: operating system, database, frameworks, runtimes etc. PaaS is higher level option where vendor provides customer with fully configured platform that runs the required applications (usually it means customer might have to adopt their apps somehow, but cost of adoption usually is not so big). SaaS is top-level service option: vendor manages all components of customer s IT stack. All three models are useful while they have different goals and user audience.

CLOUD DEPLOYMENT SERVICES According to deployment model, cloud computing can be categorized into four categories, Refer Figure 2.2 [30]: Figure 2.2 Cloud Service and Deployment Models (https://clickcloudit.wordpress.com/tag/saas/) PUBLIC CLOUD A public cloud or external cloud is one base on the usual mainstream model, in which service provider makes resources, such as storage and application, obtainable to the general public over the Internet or via web applications/web services. Maybe public cloud services are free or offered on a pay-as-you-go model. In public cloud hardware, application and bandwidth costs are covered by the service provider so it is easy and inexpensive set-up to the user. Using pay-as-you-go model it may save resource from wasting [35][36]. IBM's Blue Cloud, Sun Cloud, Google AppEngine, Windows Azure Services Platform, Amazon Elastic Compute Cloud (EC2) are good example of public clouds [36]. PRIVATE CLOUD The term Private Cloud is also referred to as internal cloud or corporate cloud. Here the provider provides services to a limited number of users behind a firewall or users access is limited to mitigate the security risk [35][36]. For proprietary computing architecture it

could be a marketing term where marketing media uses the words private cloud to offer organization that needs more control over their data than using a third-party hosted service [36]. Private cloud is good for companies' own privacy policies however, from up-front capital cost, it is not that much beneficial still it cost money to buy, build and manage [35]. Amazon s Elastic Compute Cloud (EC2) or Simple Storage Service (S3) is example of Private Cloud [36]. HYBRID CLOUD A hybrid cloud environment is the combination of public and private cloud where the infrastructure partially hosted inside the organization and externally in a public cloud [35]. For example, an organization might use Amazon Simple Storage Service (Amazon S3) as public cloud service to records their data but at the same time continue in-house storage for instant access operational customer data. Hybrid storage clouds are often valuable for record keeping and backup function. It is a good approach for a business to take advantage of the cost effectiveness and scalability [36]. COMMUNITY CLOUD A community cloud can be recognized where a number of organizations have comparable necessities and very willing to share infrastructure so as to take in the benefits of cloud computing. Here costs increase than a public cloud and sometimes can be more expensive but may offer a higher level of privacy and security. Google's "Gov Cloud" is a good example of community cloud [35]. 2.3 CHOICE OF RIGHT DEPLOYMENT / DELIVERY MODEL The choice of the right deployment model is influenced by a number of factors including cost, manageability, integration, security, compliance and quality of service. Table 2.2 summarizes how each deployment model compares on the influencing attributes.

Table 2.2 Comparison of Deployment Models Deployment Models Attribute Private Hybrid Cloud / Public On Cloud Community Cloud Cloud Premise Upfront Costs High Medium Low High Ongoing Costs Low Medium High High Security High Medium Low High Compliance High Medium Low High Quality of Service High Medium Low High Integration High Medium Low High Configurability Medium Medium Low High Based on the above it can be inferred that although cloud computing offers compelling benefits in terms of high availability, elastic scalability and fast deployments, risks associated with the adoption cannot be completely eliminated but can be carefully mitigated with extra measures. EXISTING PROBLEMS IN CLOUD COMPUTING Cloud computing has turned into a standard information technology operation for many small or large businesses. It offers many considerable advantages, including probable expenditure savings. There are, however, major risk and disadvantages related with cloud computing. Its dislocated nature is a benefit in many cases however can also be disadvantageous because the user has no supreme control over the software applications including secret data. Client has to depend on the provider to update, upgrade maintain and administer it. The user does not have direct access to the software to fix the problems while something goes wrong in any application and must rely on the service provider. The user can experience significant problems when the cloud provider is uncaring or incapable to fix the problem quickly.

With respect to privacy, there is the possibility that cloud computing may lead to commingling of information assets with other cloud customers, including competitors [23]. With respect to security, Viega (2009) [25] foresees that data and code residing in cloud computing environments will become more tempting targets to hackers. With respect to reliability, Armbrust.M et al. (2009) [27] argue that few non-cloud IT infrastructures are asrobust as cloud computing service offerings, but organizations are still concerned about availability in light of recent outages from Amazon and Google. The Cloud Security Alliance (2009) [6] eschews the notion that cloud computing should be viewed as a black box. The Information Systems Audit and Control Association (ISACA) (2009a) [23] recommends that organizations need to conduct business impact analyses and risk assessments as part of a major cloud computing governance initiative. As noted by Leavitt (2009) [7], organizations are now evaluating both the risks and rewards of cloud computing. The assumption underlying this study is that this is essential, especially in light of the statement by Nelson (2009) [12] that it is feasible that within the next 5 years, more than 80% of the world s computing and data storage could occur in the Cloud. The public cloud computing IT-related risks are organized and presented by their potential to align with three primary risk categories as identified by the European Network and Information Security Agency (ENISA) which are: (a) policy and organizational risks, (b) technical risks, and (c) legal risks (ENISA, 2009) [5]. In the same way, if a company becomes reliant on cloud-based services and the provider is unable to continue with their services, you will rapidly run into trouble. This trouble would quickly turn into much worse if the provider was not sincere to give any prior notice in time to allow your business to take an alternative cloud service. In today s unstable economic climate, cloud providers may face financial problems or impoverishment which could critically spoil or remove the provider s name from cloud provider list. These kinds of financial problems may come suddenly and company will often have inadequate alternative in these situations. Cloud computing can also mean big risks in the integrity, privacy areas and also greatly in users authentication. Using a cloud system, company s susceptible data and information will be stored on third-party servers, and user will possibly have very inadequate

understanding or control regarding this information. If the provider has insufficient security, or a violation of encryption systems or procedures are performed for different reasons, thus compromised company s private and confidential data. This could have devastating consequences, and could cause lawful problems for company if third party private information (for example, customer information) is negotiated. Entrepreneurs and small firms face special problems when using the cloud systems. Small size and limited resources of these companies make these much more vulnerable to the risks related with cloud use. For example, if a cloud service provider unable or won t be willing to provide service, the user s best option may be urgent legal action. Many small companies are not competent to activate their lawyers effectively in this way and thus they may not be capable to promptly mitigate such service interruption by the provider. Same fact is for the privacy and security risks that have been mentioned above a small company can rapidly get into significant difficulty if a security violation occurs from use of cloud-based systems and they may not have the assets to effectively tackle such a situation. [29] Organizations are increasingly looking to cloud computing to improve operational efficiency, reduce headcounts, and help with the bottom line. But security and privacy concerns present a strong barrier-to-entry. In an age when the consequences and potential costs of mistakes are rising fast for companies that handle confidential and private customer data, IT security professionals must develop better ways of evaluating the security and privacy practices of cloud services. The security and legal landscape for cloud computing is rife with mishaps and uncertainties. In the long run, however, cloud operators will continue to find economies of scale, not only in their core services, but also in their treatment of security. To take full advantage of the power of cloud computing, end users need to attain assurance of the cloud's treatment of security, privacy, and compliance issues. To that end, we need an industry with open standards, clearer regulations, and community-driven interoperability. A standards-based approach will make it easier for vendors to support flexibility, agility, and expanded cloud service offerings such as collaboration, and it will also make it easier for customers to evaluate cloud vendors and build trust in its privacy and security promises. There are several problems in cloud computing and this thesis work is mainly focused on authentication based security issues in cloud computing and how it can be mitigated, the

main focus of this thesis is to mitigate the risk of safeguarding data at rest using a hybrid new technique. CLOUD ADOPTION BARRIERS Cloud computing has created a fundamental shift in how information technology infrastructure is run and managed, changing both the business and technology sides of IT. But, as with any major change in history, there are supporters and skeptics. Transferring enterprise IT to the cloud is a complex task that includes both technical and organizational challenges. The cloud is a new paradigm that doesn t have a clear onesentence definition; it includes multiple factors, and therefore transformation to a cloud-based process may seem confusing. Figure 2.3 Cloud Adoption Barriers

This complexity paired with uncertainty creates a number of organizational cloudadoption barriers. According to a survey conducted by KPMG (Figure 2.3 [6]), security, cost uncertainty, and loss of control are the top three cloud-adoption barriers. Data security is by far the most challenging barrier to cloud adoption. Data is the most precious corporate asset, and companies want to know that their data is safe. Companies feel confident when they store data internally because they have full control over it. Although there is no guaranty that data is better protected internally comparing to public cloud. In fact, there is a possibility that data could be even safer in the public cloud because public cloud providers may possess higher level of data security expertise comparing to their customers. When stored at public cloud, data can be compromised at several different datalifecycle stages: during transfer from the internal company network to the public cloud, when data is stored in the public cloud, and during data backup and restore processes. There are fundamental questions to ask in order to ensure data security in a public cloud: 1. Who has access to the data? What are the access-control policies? Do we have full visibility into information regarding these access-control policies? 2. Is data encrypted during transfer from the internal network to the public cloud? What is the encryption algorithm? Can data be encrypted when stored in the cloud? Who holds the encryption keys? 3. If a cloud provider is not supposed to have access to the data, encryption keys should be held only by the company that owns the data. Some of the compliance standards mandate full data encryption, and do not permit cloud providers to hold encryption keys. 4. What is the disaster-recovery process? Does the cloud provider replicate data across multiple datacenters? Are these datacenters located in different geographical locations? 5. If data is stored in only one datacenter and the cloud provider doesn t have the capability to replicate it at other datacenters, this should raise a red flag. 6. What is the data-backup process? Who has access to the backup data? Where is the backup data stored? 7. What is the data-recovery process? How long does data recovery take?

8. What is the security-breach investigation process? Does the cloud provider have security-breach investigation capabilities? This question is often forgotten, but it is very important if data is compromised, the cloud provider will be the only source of information for any investigation.