|
Topic development for Research Projects in Theses and Dissertations related to Cloud Computing Security, Cloud-Let Security and Virtualisation Security Frameworks: By Sourabh Kishore This is a mobile friendly page: please click here for visiting the full article page Please contact us at consulting@etcoindia.co or consulting@etcoindia.net to discuss your interest area in cloud computing and virtualisation security research. |
Cloud computing security is a rapidly emerging research area amidst growing security concerns among the companies availing cloud hosting services for their critical IT systems. The virtual closed user group (V-CUG) mode of cloud computing operation, upon a massive shared real infrastructure shared among thousands of clients, is not yet well understood in the academic and even in the professional worlds. There are many unanswered questions because a direct analogy with self hosted infrastructure systems is not yet established. Regulators across the world are facing tough challenges in allowing the companies to host their critical IT infrastructures on cloud computing platforms. Protection of user sessions from the threats on the Internet takes us back to the old era of Zone based Firewall security system which was solved by establishing the Public, Secured and De-Militarised zones. Intrusion Detection and Prevention systems extended added advantages to the Zone based Security System. However, cloud computing hosting requires the user sessions to traverse the Internet. Then where does the Zone based Security comes in picture? If this is the only way to access the cloud hosted resources, then what is the solution for secured access to cloud computing resources? Assuming that IP-VPN tunneling using IKE with IPSec and 3DES/AES encryption is the solution to protecting Internet exposed user sessions, how many tunnels will the cloud hosting providers terminate at their end? Which VPN aggregator can support millions of tunnels? What will be the WAN overload? What will be the performance? Is it really feasible having millions of IP-VPN tunnels to secure cloud computing clients? Please keep in consideration that this is just one area of security because the issues of Server operating systems, LAN, applications, web services, platforms, etc. security at the cloud hosting end is still unaddressed. What are service providers doing to ensure that one client do not get even accidental access to the data of another client? Let us begin with the fundamentals. Cloud computing infrastructures employ the same IT components that corporations have been using in their self hosted infrastructures. However, clouds are deployed at massive scales with virtualization as their core technology. The security threats and vulnerabilities are the same that the world has been witnessing in self hosted real and virtual infrastructures. In self hosted environments, corporations have kept themselves secured by operating within CUG (Closed User Group) environments, which are protected from the external world through peripheral devices like Zone based Firewalls, Intrusion Prevention Systems, Network Admission Control, Anomaly Control, Antivirus/Antispyware, etc. All users in the CUG go through an organized authorization system to achieve privilege levels on the secured computers, and their activities are logged and monitored. In cloud hosted scenario, the CUG breaks completely. In fact there is no real CUG - as it becomes virtual. The sessions between users and servers, that were highly protected on private IP addresses on CUG LANs, get exposed to public IP addresses of the Internet. The security controls are out of the hands of the end customers, as the service providers own the clouds. The end user files and data gets spread across multiple physical hosts, with no identifiers determining the location of a component of a file/folder and its data. The service providers, on the other hand, use real components for the entire cloud and only virtual components for the end customers. Hence, personalisation becomes a major problem, because there is nothing real; everything is just virtual everywhere - the authentications, authorizations, accounting, file locations, database locations, sessions, application demands, servers, etc. The end users get virtual screens to manage their so called personalized cloudlet on a massive cloud infrastructure. The challenge is related to going back to the olden days of security controls, prevalent in real CUG environments, and implementing them on the virtual CUG environments. In your study, you can pick one of the prominent security challenges - like access control, network control, de-militarized zones, web services control, file/folder security controls, etc. In fact, you should prefer to choose an area that can be simulated on a network modelling and simulation platform - like OPNET, Cisco Packet Tracer, OMNET++, etc. Do not try to address more than one areas in your thesis, because your study would tend to get generalised. I propose that you should study the following areas in your dissertation/thesis project about Cloud Computing Security: 1) Cross-border flow of data 2) Data proliferation 3) Data visibility across virtual boundaries 4) Identity and privilege threats 5) Inadequate data backup and recovery 6) Inadequate risk management by cloud service providers 7) Inappropriate services accountability 8) Insider threats 9) Internet-based exploits 10) Lack of auditing and forensics support 11) Lack of standardisation 12) Multi-tenancy and virtualisation threats 13) Network-level threats 14) Poor user control on their private computing and storage environments 15) Unclear ownership of data lifecycle stages 16) Undetermined physical location of data 17) Unreliable data availability 18) Unreliable virtual boundaries 19) Vendor Lock-in 20) Weaker boundaries of shared composite services In addition to the security threat areas, you may like to study security solutions in Cloud Computing environments. 1) Access controls protected within virtual boundaries 2) All types of access controls: physical, logical, networking, systems, and applications 3) All types of controls against exploits: firewalls, IDS, IPS, web services filtering, spam and malware filtering, 4) Applicable regulations and compliance needs 5) Appropriate usage of data as per classification and criticality levels 6) Auditing, monitoring, and assurance of security controls 7) Availability levels 8) Backups and recovery 9) Certification and assurance 10) Change management 11) Confidentiality, integrity, availability, reliability, trust, and privacy 12) Cryptography 13) Data classification as per criticality and applying multi-level controls 14) Data discovery, auditing, and legal/statutory compliance 15) Data retention and destruction 16) Defining, implementing, and controlling data ownership 17) Incident and problems identification, reporting, reviewing, and resolution 18) Information access and handling procedures and the related non-disclosure agreements 19) Management of resources 20) Multi-cloud data storage and synchronised data backups on multiple clouds 21) Operations continuity 22) Private networks on the clouds 23) Protection of data 24) Requirements of internal personnel and their roles and responsibilities 25) Risk management 26) Security auditing - both internal and external 27) Subcontracting on clouds 28) Systems security Currently, cloud computing service providers are operating in three different modes - Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). Security solutions services in cloud computing is still mystery for the customers although service providers have implemented all standard technologies that you can imagine: stateful inspection firewalls, Intrusion Detection and Prevention devices, Web services firewalls, Application firewalls, Spam filters, Antivirus, Anti-Spyware, Gateway Level File Inspections, etc. But customers are not able to specifically identify the controls applicable on their files/folders because they do not know the physical location of them (as you must be knowing, files get distributed into multiple virtual machines spread across multiple data centres). In this context, a new concept is evolving. It is called "Security as a Service (SECaaS). In Security-as-a-service, a service provider builds a lot of controls for the customers that can be shared through "subscription model" (similar to the cloud computing model) and can assure security for the customers' assets by seamlessly integrating their solutions with the Cloud Hosting service providers. The customer just needs to buy an Internet leased line connection with dedicated public IPs to the SECaaS service provider and will get all the controls applicable on their hosted environments. Security as a service for cloud hosting users is a rapidly emerging concept in which, the security controls for the end users are managed by a third party, that allow the user sessions from thousands of clients through their systems and ensure optimum protection and personalization. Their services span from network security controls to application security controls. The Internet Leased Circuit Connection to the SECaaS provider serves as a backhaul connection to the Cloud Hosting provider with appropriate peering between the security controls and the infrastructure maintained by the cloud provider (at all levels of the OSI seven layers) and the corresponding client environment for the customers. Your topics may comprise of these frameworks combined with actual security controls possible on cloud hosting through platforms of cloud service providers. The studies may be carried out by studying various security attributes by modelling and simulating them on appropriate network modelling tools (OPNET, Cisco Packet Tracer, OMNET++, etc.), or by conducting surveys and interviews of experienced IT professionals that are managing cloud hosted services for their end users. Please contact us at consulting@etcoindia.co or consulting@etcoindia.net to discuss your interest area in cloud computing security. We will help you to formulate appropriate topics, their descriptions, and your research aims and objectives, supported by most relevant literatures. We have helped many students in completing their research projects on IT security and IT governance on cloud computing. There are no dearth of topics as this is an emerging field that is actively targeted for academic research studies. However, it should be kept in mind that the research studies in this field should yield firm and actionable outcomes, in the form of IT security strategies, IT governance strategies, architectures and designs for the end users of Cloud Computing Hosting and for the service providers that are still struggling to convince the global regulators that cloud computing security is in no way inferior to traditional self hosted IT infrastructure security. The standards and global best practices (listed above) can definitely add value, although the implementation plans for cloud hosting end user companies should evolve from academic research studies. |
Please contact us at consulting@etcoindia.co or consulting@etcoindia.net to discuss your topic or to get ideas about new topics pertaining to your subject area. |
Electronic Publishing, and Knowledge & Mentoring Services: through online collaboration, cooperation, and communications |
Copyright 2016 ETCOINDIA. All Rights Reserved |