Keywords applicable to this article: dissertation, research, topics, virtual data centre security,
cloud computing security, virtualization security, unified threat management, cloud computing
hosting security, Cloud-Let security, IT security on cloud computing, performance of cloud
security. By:
Sourabh Kishore, Chief Consulting Officer

Mobile Friendly Page

Please contact us at consulting@etcoindia.co or consulting@etcoindia.net to
discuss your topic or to get ideas about new topics pertaining to your
subject area.
Topic development for Research Projects in Theses and
Dissertations related to Cloud Computing Security,
Cloud-Let Security and Virtualisation Security Frameworks.
Cloud computing security is a rapidly emerging research area amidst growing security concerns among the companies availing cloud hosting services for
their critical IT systems. The virtual closed user group (V-CUG; also called Virtual Private Cloud) mode of cloud computing operation, upon a massive
shared real infrastructure shared among thousands of clients, is not yet well understood in the academic and even in the professional worlds. There are
many unanswered questions because a direct analogy with self hosted infrastructure systems is not yet established. Regulators across the world are
facing tough challenges in allowing the companies to host their critical IT infrastructures on cloud computing platforms. Protection of user sessions from
the threats on the Internet takes us back to the old era of Zone based Firewall security system which was solved by establishing the Public, Secured and
De-Militarised zones. Intrusion Detection and Prevention systems extended added advantages to the Zone based Security System. However, cloud
computing hosting requires the user sessions to traverse the Internet. Then where does the Zone based Security comes in picture? If this is the only way to
access the cloud hosted resources, then what is the solution for secured access to cloud computing resources? Assuming that IP-VPN tunneling using IKE
with IPSec and 3DES/AES encryption is the solution to protecting Internet exposed user sessions, how many tunnels will the cloud hosting providers
terminate at their end? Which VPN aggregator can support millions of tunnels? What will be the WAN overload? What will be the performance? Is it
really feasible having millions of IP-VPN tunnels to secure cloud computing clients? Please keep in consideration that this is just one area of security
because the issues of Server operating systems, LAN, applications, web services, platforms, etc. security at the cloud hosting end is still unaddressed.
What are service providers doing to ensure that one client do not get even accidental access to the data of another client?

Dear Visitor: Please visit the page detailing SUBJECT AREAS OF SPECIALIZATION pertaining to our services to view the broader perspective of our
offerings for Dissertations and Thesis Projects. Please also visit the page having
TOPICS DELIVERED by us.

With Sincere Regards, Sourabh Kishore.

Apologies for the interruption!! Please continue reading!!

Let us begin with the fundamentals. Cloud computing infrastructures employ the same IT components that corporations have been using in their self
hosted infrastructures. However, clouds are deployed at massive scales with virtualization as their core technology. The security threats and
vulnerabilities are the same that the world has been witnessing in self hosted real and virtual infrastructures. In self hosted environments, corporations
have kept themselves secured by operating within CUG (Closed User Group) environments, which are protected from the external world through
peripheral devices like Zone based Firewalls, Intrusion Prevention Systems, Network Admission Control, Anomaly Control, Antivirus/Antispyware, etc.
All users in the CUG go through an organized authorization system to achieve privilege levels on the secured computers, and their activities are logged
and monitored. In cloud hosted scenario, the CUG breaks completely. In fact there is no real CUG - as it becomes virtual (Virtual CUG or Virtual Private
Cloud). The sessions between users and servers, that were highly protected on private IP addresses on CUG LANs, get exposed to public IP addresses of
the Internet. The security controls are out of the hands of the end customers, as the service providers own the clouds. The end user files and data gets
spread across multiple physical hosts, with no identifiers determining the location of a component of a file/folder and its data. The service providers, on
the other hand, use real components for the entire cloud and only virtual components for the end customers. Hence, personalisation becomes a major
problem, because there is nothing real; everything is just virtual everywhere - the authentications, authorizations, accounting, file locations, database
locations, sessions, application demands, servers, networking, and everything else that an IT architect can imagine within an IT infrastructure. The end
users get virtual screens to manage their personalized work areas in a Virtual Private Cloud. For mobile cloud computing, the concept of Cloudlets is used
that serves mobile cloud access for nearest mobile phones and tablets over minimum possible number of hops to a massive cloud infrastructure.

The challenge is related to going back to the olden days of security controls, prevalent in real CUG environments, and implementing them on the virtual
CUG environments. In your study, you can pick one of the prominent security challenges - like access control, network control, de-militarized zones, web
services control, file/folder security controls, etc. In fact, you should prefer to choose an area that can be simulated on a network modelling and simulation
platform - like OPNET, Cisco Packet Tracer, OMNET++, etc. Do not try to address more than one areas in your thesis, because your study would tend to
get generalised. I propose that you should study the following security problem areas in your dissertation/thesis project about Cloud Computing Security.
For defining a unique, narrow, and focussed research topic please contact us at consulting@etcoindia.co or consulting@etcoindia.net to get more topic
suggestions and to discuss your own original, narrow, and focussed research topic with aim, objectives, and hypotheses / research questions.

(1) Cross-border flow of data
(2) Data proliferation
(3) Data visibility across virtual boundaries
(4) Identity and privilege threats
(5) Inadequate data backup and recovery
(6) Inadequate risk management by cloud service providers
(7) Inappropriate services accountability
(8) Insider threats
(9) Internet-based exploits
(10) Lack of auditing and forensics support
(11) Lack of standardisation
(12) Multi-tenancy and virtualisation threats
(13) Network-level threats
(14) Poor user control on their private computing and storage environments
(15) Unclear ownership of data lifecycle stages
(16) Undetermined physical location of data
(17) Unreliable data availability
(18) Unreliable virtual boundaries
(19) Vendor Lock-in
(20) Weaker boundaries of shared composite services
(21) Denial of Service (DoS)
(22) Distributed Denial of Service (DDoS) (simultaneous DoS attacks from multiple sources)
(23) Attacks on Virtual Machine Monitors (VMMs)
(24) Virtualization Exploits
(25) Vulnerabilities of HTML5 and embedded codes in third party websites
(26) Cross-Site Scripting (XSS) breach and mutation and Cross Site Session Requests Forgery (XSSRF)
(27) SQL script injections
(28) Cross virtual channel attacks
(29) Attack signatures and attack-like behaviours
(30) Distributed intrusion mechanisms
(31) Cloud attack surfaces and launchpads
(32) XML scripts and XML data files corruption [example, Type '0' XSS exploit on Document Object Models (DOMs)]
(33) Service-oriented system exploits
(34) Coordinated attacks by a network of attackers
(35) Cyber terrorism through cloud computing
(36) Threats and Vulnerabilities related to Internet of Things (IoT)
(37) Threats and Vulnerabilities related to cloud-based manufacturing and controls systems and to cloud-based supply chains
(38) Hypervisor exploitation risks
(39) Virtual Machines sessions hijacking
(40) Administrator sessions hijacking
(41) Scripts and Code injections in virtual networking switches and routers in Software Defined Networking (SDN)
(42) Malicious code writing through regular and approved cloud-based APIs
(43) Installing sensor scripts for enumerating and manipulating access control lists in Software Defined Networking (SDN)
(44) Malware designed for subversion of DNS responses (DNS poisoning)
(45) Protocol weakness exploitation
(46) Exploiting Openflow controllers and switches in Software Defined Networking (SDN)
(47) Eavesdropping and messages hijacking in the control and management planes in Software Defined Networking (SDN)
(48) Hijacking the control and management plane sessions in Software Defined Networking (SDN)
(49) Eliminating or manipulating the attack traces for fooling the cloud forensics
(50) Traffic sniffing and spoofing in the data plane

In addition to the security threat areas, you may like to study the possible security solutions in the following study areas related to Cloud Computing and
virtualization security. For defining a unique, narrow, and focussed research topic please contact us at consulting@etcoindia.co or
consulting@etcoindia.net to get more topic suggestions and to discuss your topic.

(1) Access controls protected within virtual boundaries
(2) All types of access controls: physical, logical, networking, systems, and applications
(3) All types of controls against exploits: firewalls, IDS, IPS, web services filtering, spam and malware filtering,
(4) Applicable regulations and compliance needs for cloud user and cloud service provider organisations
(5) Appropriate usage of data as per classification and criticality levels
(6) Auditing, monitoring, and assurance of security controls
(7) Availability levels on cloud computing
(8) Backups and recovery on cloud computing
(9) Certification and assurance of cloud-based services
(10) Change management on the clouds
(11) Confidentiality, integrity, availability, reliability, trust, and privacy
(12) Cryptography on the clouds
(13) Data classification as per criticality and applying multi-level controls
(14) Data discovery, auditing, and legal/statutory compliance
(15) Data retention and destruction
(16) Defining, implementing, and controlling data ownership
(17) Incident and problems identification, reporting, reviewing, and resolution
(18) Information access and handling procedures and the related non-disclosure agreements
(19) Management of security resources on the clouds
(20) Multi-cloud data storage and synchronised data backups on multiple clouds
(21) Operations continuity on the clouds
(22) Private networks on the clouds
(23) Protection of personal and business data
(24) Requirements of internal personnel and their roles and responsibilities
(25) Risk management on cloud computing
(26) Security auditing - both internal and external
(27) Subcontracting on clouds
(28) Systems security on cloud computing
(29) Distributed Intrusion Detection and Prevention
(30) Agents-based Security (using static and mobile agents)
(31) Protection of government and defense networks
(32) Protection of RFIDs and Internet of Things integrated with cloud computing
(33) Protection of cloud-based manufacturing, cloud-based process engineering, and cloud-based controls systems
(34) Protection of cloud-based supply chains
(35) Protection of smart home networks
(36) Identity protection of cloud-based users
(37) Protection of cloud-integrated sensor networks
(38) Non-proliferation regulations and controls for cloud-based databases
(39) Privacy and Trust relationships on cloud computing
(40) Study of Cloud Controls Matrix developed by Cloud Security Alliance
(41) Study of Cloud Computing Standards (some of the new standards are listed later in this article)
(42) Cloud-based intelligence to detect the emerging threats proactively
(43) Behavioural data mining and analytics to detect rogue virtual machines
(44) Hybrid security for securing a combination of physical and virtual information assets
(45) Survival and resilience of sensitive data in virtual data centres
(46) Securing embedded systems linked with the clouds
(47) Securing location-based services in mobile cloud computing
(48) Securing cloud-based data communications and cloud telephony
(49) Securing cloud-based collaboration tools
(50 Securing XML data files and XML queries in SaaS
(51) Model-based security for the service abstraction layer
(52) Model-based security for the cloud dispatchers and service allocators
(53) Hypervisor-specific security controls
(54) Encrypted message flows in Openflow management and control layer for virtual switching
(55) Adaptive traffic monitoring, attack detection, and mitigation
(56) Dynamic access control lists (replacing static access control lists)
(57) Baysean inspections and signature-based intrusion detection at Internet Exchange Points (IXPs)
(58) Advanced trust relationships between management and control tools
(59) Securing administrative stations and Virtual Machine Monitors (VMMs)
(60) Intelligent detection and isolation of rogue and compromised virtual machines
(61) Dynamic constitution and enforcement of security policies by mobile intelligent agents
(62) Binary protection algorithms
(63) Advanced transport and storage encryption and protecting the cryptographic keys
(64) Advanced security practices in API coding and application packaging
(65) Advanced security test cases in the Software Development Life Cycle
(66) Anti-phishing and anti-social-Engineering methods and techniques for protecting cloud administrators
(67) Methods and techniques for multi-level validation of session redirects and forwards
(68) Security of cloud objects references
(69) Detecting and preventing forgeries through XSS mutations and XSSR (cross site session requests)
(70) Managing broken sessions and broken authentication requests

Currently, cloud computing service providers are operating in three different modes - Software as a Service (SaaS), Platform as a Service (PaaS) and
Infrastructure as a Service (IaaS). Security solutions services in cloud computing is still mystery for the customers although service providers have
implemented all standard technologies that you can imagine: stateful inspection firewalls, Intrusion Detection and Prevention devices, Web services
firewalls, Application firewalls, Spam filters, Antivirus, Anti-Spyware, Gateway Level File Inspections, etc. These security services are integrated through
the framework of Unified Threat Management (UTM). However, customers are not able to specifically identify the controls applicable on their files/folders
because they do not know the physical location of them (as you must be knowing, files get distributed into multiple virtual machines spread across
multiple data centres). In this context, a new concept is evolving. It is called "Security as a Service (SECaaS). In Security-as-a-service, a service provider
builds a lot of controls for the customers that can be shared through "subscription model" (similar to the cloud computing model) and can assure security
for the customers' assets by seamlessly integrating their solutions with the Cloud Hosting service providers. The customer just needs to buy an Internet
leased line connection with dedicated public IPs to the SECaaS service provider and will get all the controls applicable on their hosted environments.
Security as a service for cloud hosting users is a rapidly emerging concept in which, the security controls for the end users are managed by a third party,
that allow the user sessions from thousands of clients through their systems and ensure optimum protection and personalization. Their services span
from network security controls to application security controls. The Internet Leased Circuit Connection to the SECaaS provider serves as a backhaul
connection to the Cloud Hosting provider with appropriate peering between the security controls and the infrastructure maintained by the cloud provider
(at all levels of the OSI seven layers) and the corresponding client environment for the customers.

In addition to the suggestions above, please contact us at consulting@etcoindia.co or consulting@etcoindia.net to get more
topic suggestions and to discuss your topic. We will be happy to assist you in developing your narrow research topic with
an original contribution based on the research context, research problem, and the research aim, and objectives.

Please visit the page on VIRTUALISATION, CLOUD COMPUTING, AND UNIFIED THREAT MANAGEMENT SYSTEM to read more about the
fundamental concepts.

With Sincere Regards, Sourabh Kishore.

Apologies for the interruption!! Please continue reading!!

I will give you an example of Security-as-a-Service on cloud computing through Unified Threat Management (UTM). When you hire E-Mail services from
Google Apps or any other cloud hosted application service provider, you get a control panel screen through which you can maintain the mailboxes for
your company. All the configurations can be triggered through icons. There will be separate icons through which you can configure your own security
controls, specific to your own subscription only. Some examples of the icons are - Account Level Filtering, User Level Filtering, E-Mail Authentication,
Spam Assassin, SSL configuration panel, etc. Every cloud hosting user that maintains a secured business on the Internet is aware of these icons. These are
security controls specific to a company (virtual closed user group), - but this doesn't mean that the cloud hosting provider has installed any dedicated
security device for the company. These devices work in shared mode for thousands of companies that have hosted their services on the same cloud. In fact
the cloud hosting provider has implemented additional configurations to provide dedicated services to cloud subscribers. Let us take an example of
E-Mail Authentication. Guess what they would have implemented? - just an LDAP Server!! What is there in an LDAP server? - User Accounts, Group
Accounts, Authorizations, Privileges, etc!! Where are the privileges and authorizations configured? - on network objects (files, folders, databases, Mail
boxes, etc.)!! Now what they have added on the cloud? They have added a method to ensure that a company's domain account has become a network
object for them. How will this happen? They have created customized Web Services on E-Mail Servers (like MS Exchange, Q-Mail, or Send mail) in such a
way that each server can host mailboxes for multiple domains and there can be a super user who is the owner of the domain and all mailboxes under it.
To provide privileges to the super user, they have integrated the LDAP server with the customized mail server through appropriate web programming
such that the LDAP server recognizes the domain as the network object and the super user as its owner. This customizing also results in a combined
administration panel for both e-mail server and the LDAP server, to enable the user company to implement their own security controls. Similar settings
can be implemented for other services as well. Given the huge volumes, these security applications (LDAP, Spam filter, IPS, Web Services Firewalls, etc.)
are massive and hence a Security as a Service provider is needed to work closely with the cloud hosting service provider.

Cloud computing hosting can be viewed as external virtualization, which is an extended IT infrastructure for companies that are geographically
dispersed. You may like to study how the principles of IT security management, IT governance, and IT service continuity can be fulfilled by keeping some
part of IT services internal and other services extended to multiple Cloud service providers. To gauge the principles, you may need help from some global
standards and best practices as listed below:

(a) ISO 27001 / 27002 - Information Security (this is related to IT Risk Management as well with build in controls for IT Business Continuity and Disaster
recovery)
(b) ISO 27017 / 27018 - Information security standards based on ISO 27001 / ISO 27002 with dedicated controls for virtualisation network architectures
and cloud computing
(c) ISO 27005, COBIT, RISK IT - IT Risk Management
(d) Val IT - Value proposition to Business by IT (includes IT Service Continuity)
(e) ITIL Versions 2 and 3 - IT Service Continuity is an integral part of overall Service Management Framework
(f) PAS 77 - dedicated standard for IT Service Continuity Management
(g) ISO 24762:2008 - dedicated standard for ICT Disaster Recovery Services
(h) Cloud Security Alliance (CSA) set of controls in the Cloud Controls Matrix (CCM) drawn from a variety of existing security standards ensuring cloud
security compliance to diverse regulations

In addition to the suggestions above, please contact us at consulting@etcoindia.co or consulting@etcoindia.net to get more
topic suggestions and to discuss your topic. We will be happy to assist you in developing your narrow research topic with
an original contribution based on the research context, research problem, and the research aim, and objectives.

Your topics may comprise of these frameworks combined with actual security controls possible on cloud hosting through service providers. The studies
may be carried out by studying various security attributes by modelling and simulating them on appropriate network modelling tools (OPNET, Cisco
Packet Tracer, OMNET++, etc.), or by conducting surveys and interviews of experienced IT professionals that are managing cloud hosted services for their
end users. Please contact us at consulting@etcoindia.co or consulting@etcoindia.net to discuss your interest area in cloud computing security. We will
help you to formulate appropriate topics, their descriptions, and your research aims and objectives, supported by most relevant literatures. We have
helped many students in completing their research projects on IT security and IT governance on cloud computing. There are no dearth of topics as this is
an emerging field that is actively targeted for academic research studies. However, it should be kept in mind that the research studies in this field should
yield firm and actionable outcomes, in the form of IT security strategies, IT governance strategies, architectures and designs for the end users of Cloud
Computing Hosting and for the service providers that are still struggling to convince the global regulators that cloud computing security is in no way
inferior to traditional self hosted IT infrastructure security. The standards and global best practices (listed above) can definitely add value, although the
implementation plans for cloud hosting end user companies should evolve from academic research studies.

Electronic Publishing, and Knowledge & Mentoring Services: through
online collaboration, cooperation, and communications
Copyright 2016 ETCO INDIA. All Rights Reserved
Please contact us at consulting@etcoindia.co or
consulting@etcoindia.net to discuss your topic or to
get ideas about new topics pertaining to your subject
area.