Dissertation, Thesis Topics on Cloud computing and virtualisation security

Cloud computing security is a rapidly emerging
research area amidst growing security concerns
among the companies availing cloud hosting
services for their critical IT systems. The virtual
closed user group (V-CUG) mode of cloud
computing operation, upon a massive shared
real infrastructure shared among thousands of
clients, is not yet well understood in the
academic and even in the professional worlds.
There are many unanswered questions because a
direct analogy with self hosted infrastructure
systems is not yet established. Regulators across
the world are facing tough challenges in
allowing the companies to host their critical IT
infrastructures on cloud computing platforms.
Protection of user sessions from the threats on
the Internet takes us back to the old era of Zone
based Firewall security system which was solved
by establishing the Public, Secured and
De-Militarised zones. Intrusion Detection and
Prevention systems extended added advantages
to the Zone based Security System. However,
cloud computing hosting requires the user
sessions to traverse the Internet. Then where
does the Zone based Security comes in picture?
If this is the only way to access the cloud hosted
resources, then what is the solution for secured
access to cloud computing resources? Assuming
that IP-VPN tunneling using IKE with IPSec and
3DES/AES encryption is the solution to
protecting Internet exposed user sessions, how
many tunnels will the cloud hosting providers
terminate at their end? Which VPN aggregator
can support millions of tunnels? What will be the
WAN overload? What will be the performance?
Is it really feasible having millions of IP-VPN
tunnels to secure cloud computing clients?
Please keep in consideration that this is just one
area of security because the issues of Server
operating systems, LAN, applications, web
services, platforms, etc. security at the cloud
hosting end is still unaddressed. What are
service providers doing to ensure that one client
do not get even accidental access to the data of
another client?

Let us begin with the fundamentals. Cloud
computing infrastructures employ the same IT
components that corporations have been using in
their self hosted infrastructures. However,
clouds are deployed at massive scales with
virtualization as their core technology. The
security threats and vulnerabilities are the same
that the world has been witnessing in self hosted
real and virtual infrastructures. In self hosted
environments, corporations have kept
themselves secured by operating within CUG
(Closed User Group) environments, which are
protected from the external world through
peripheral devices like Zone based Firewalls,
Intrusion Prevention Systems, Network
Admission Control, Anomaly Control,
Antivirus/Antispyware, etc. All users in the
CUG go through an organized authorization
system to achieve privilege levels on the secured
computers, and their activities are logged and
monitored. In cloud hosted scenario, the CUG
breaks completely. In fact there is no real CUG -
as it becomes virtual. The sessions between users
and servers, that were highly protected on
private IP addresses on CUG LANs, get exposed
to public IP addresses of the Internet. The
security controls are out of the hands of the end
customers, as the service providers own the
clouds. The end user files and data gets spread
across multiple physical hosts, with no
identifiers determining the location of a
component of a file/folder and its data. The
service providers, on the other hand, use real
components for the entire cloud and only virtual
components for the end customers. Hence,
personalisation becomes a major problem,
because there is nothing real; everything is just
virtual everywhere - the authentications,
authorizations, accounting, file locations,
database locations, sessions, application
demands, servers, etc. The end users get virtual
screens to manage their so called personalized
cloudlet on a massive cloud infrastructure.

The challenge is related to going back to the
olden days of security controls, prevalent in real
CUG environments, and implementing them on
the virtual CUG environments. In your study,
you can pick one of the prominent security
challenges - like access control, network control,
de-militarized zones, web services control,
file/folder security controls, etc. In fact, you
should prefer to choose an area that can be
simulated on a network modelling and
simulation platform - like OPNET, Cisco Packet
Tracer, OMNET++, etc. Do not try to address
more than one areas in your thesis, because your
study would tend to get generalised. I propose
that you should study the following areas in
your dissertation/thesis project about Cloud
Computing Security:

1) Cross-border flow of data
2) Data proliferation
3) Data visibility across virtual boundaries
4) Identity and privilege threats
5) Inadequate data backup and recovery
6) Inadequate risk management by cloud service
providers
7) Inappropriate services accountability
8) Insider threats
9) Internet-based exploits
10) Lack of auditing and forensics support
11) Lack of standardisation
12) Multi-tenancy and virtualisation threats
13) Network-level threats
14) Poor user control on their private computing
and storage environments
15) Unclear ownership of data lifecycle stages
16) Undetermined physical location of data
17) Unreliable data availability
18) Unreliable virtual boundaries
19) Vendor Lock-in
20) Weaker boundaries of shared composite
services

In addition to the security threat areas, you may
like to study security solutions in Cloud
Computing environments.

1) Access controls protected within virtual
boundaries
2) All types of access controls: physical, logical,
networking, systems, and applications
3) All types of controls against exploits: firewalls,
IDS, IPS, web services filtering, spam and
malware filtering,
4) Applicable regulations and compliance needs
5) Appropriate usage of data as per classification
and criticality levels
6) Auditing, monitoring, and assurance of
security controls
7) Availability levels
8) Backups and recovery
9) Certification and assurance
10) Change management
11) Confidentiality, integrity, availability,
reliability, trust, and privacy
12) Cryptography
13) Data classification as per criticality and
applying multi-level controls
14) Data discovery, auditing, and legal/statutory
compliance
15) Data retention and destruction
16) Defining, implementing, and controlling data
ownership
17) Incident and problems identification,
reporting, reviewing, and resolution
18) Information access and handling procedures
and the related non-disclosure agreements
19) Management of resources
20) Multi-cloud data storage and synchronised
data backups on multiple clouds
21) Operations continuity
22) Private networks on the clouds
23) Protection of data
24) Requirements of internal personnel and their
roles and responsibilities
25) Risk management
26) Security auditing - both internal and external
27) Subcontracting on clouds
28) Systems security

Currently, cloud computing service providers
are operating in three different modes - Software
as a Service (SaaS), Platform as a Service (PaaS)
and Infrastructure as a Service (IaaS). Security
solutions services in cloud computing is still
mystery for the customers although service
providers have implemented all standard
technologies that you can imagine: stateful
inspection firewalls, Intrusion Detection and
Prevention devices, Web services firewalls,
Application firewalls, Spam filters, Antivirus,
Anti-Spyware, Gateway Level File Inspections,
etc. But customers are not able to specifically
identify the controls applicable on their
files/folders because they do not know the
physical location of them (as you must be
knowing, files get distributed into multiple
virtual machines spread across multiple data
centres). In this context, a new concept is
evolving. It is called "Security as a Service
(SECaaS). In Security-as-a-service, a service
provider builds a lot of controls for the
customers that can be shared through
"subscription model" (similar to the cloud
computing model) and can assure security for
the customers' assets by seamlessly integrating
their solutions with the Cloud Hosting service
providers. The customer just needs to buy an
Internet leased line connection with dedicated
public IPs to the SECaaS service provider and
will get all the controls applicable on their
hosted environments. Security as a service for
cloud hosting users is a rapidly emerging
concept in which, the security controls for the
end users are managed by a third party, that
allow the user sessions from thousands of clients
through their systems and ensure optimum
protection and personalization. Their services
span from network security controls to
application security controls. The Internet
Leased Circuit Connection to the SECaaS
provider serves as a backhaul connection to the
Cloud Hosting provider with appropriate
peering between the security controls and the
infrastructure maintained by the cloud provider
(at all levels of the OSI seven layers) and the
corresponding client environment for the
customers.

Your topics may comprise of these frameworks
combined with actual security controls possible
on cloud hosting through platforms of cloud
service providers. The studies may be carried
out by studying various security attributes by
modelling and simulating them on appropriate
network modelling tools (OPNET, Cisco Packet
Tracer, OMNET++, etc.), or by conducting
surveys and interviews of experienced IT
professionals that are managing cloud hosted
services for their end users. Please contact us at
consulting@etcoindia.co or
consulting@etcoindia.net to discuss your interest
area in cloud computing security. We will help
you to formulate appropriate topics, their
descriptions, and your research aims and
objectives, supported by most relevant
literatures. We have helped many students in
completing their research projects on IT security
and IT governance on cloud computing. There
are no dearth of topics as this is an emerging
field that is actively targeted for academic
research studies. However, it should be kept in
mind that the research studies in this field
should yield firm and actionable outcomes, in
the form of IT security strategies, IT governance
strategies, architectures and designs for the end
users of Cloud Computing Hosting and for the
service providers that are still struggling to
convince the global regulators that cloud
computing security is in no way inferior to
traditional self hosted IT infrastructure security.
The standards and global best practices (listed
above) can definitely add value, although the
implementation plans for cloud hosting end user
companies should evolve from academic
research studies.