Dissertation, Thesis Topics on Cloud computing and virtualisation security

Cloud computing security is a rapidly
emerging research area amidst growing
security concerns among the companies
availing cloud hosting services for their critical
IT systems. The virtual closed user group
(V-CUG; also called Virtual Private Cloud)
mode of cloud computing operation, upon a
massive shared real infrastructure shared
among thousands of clients, is not yet well
understood in the academic and even in the
professional worlds. There are many
unanswered questions because a direct
analogy with self hosted infrastructure systems
is not yet established. Regulators across the
world are facing tough challenges in allowing
the companies to host their critical IT
infrastructures on cloud computing platforms.
Protection of user sessions from the threats on
the Internet takes us back to the old era of
Zone based Firewall security system which
was solved by establishing the Public, Secured
and De-Militarised zones. Intrusion Detection
and Prevention systems extended added
advantages to the Zone based Security System.
However, cloud computing hosting requires
the user sessions to traverse the Internet. Then
where does the Zone based Security comes in
picture? If this is the only way to access the
cloud hosted resources, then what is the
solution for secured access to cloud computing
resources? Assuming that IP-VPN tunneling
using IKE with IPSec and 3DES/AES
encryption is the solution to protecting Internet
exposed user sessions, how many tunnels will
the cloud hosting providers terminate at their
end? Which VPN aggregator can support
millions of tunnels? What will be the WAN
overload? What will be the performance? Is it
really feasible having millions of IP-VPN
tunnels to secure cloud computing clients?
Please keep in consideration that this is just
one area of security because the issues of
Server operating systems, LAN, applications,
web services, platforms, etc. security at the
cloud hosting end is still unaddressed. What
are service providers doing to ensure that one
client do not get even accidental access to the
data of another client?

Let us begin with the fundamentals. Cloud
computing infrastructures employ the same IT
components that corporations have been using
in their self hosted infrastructures. However,
clouds are deployed at massive scales with
virtualization as their core technology. The
security threats and vulnerabilities are the
same that the world has been witnessing in self
hosted real and virtual infrastructures. In self
hosted environments, corporations have kept
themselves secured by operating within CUG
(Closed User Group) environments, which are
protected from the external world through
peripheral devices like Zone based Firewalls,
Intrusion Prevention Systems, Network
Admission Control, Anomaly Control,
Antivirus/Antispyware, etc. All users in the
CUG go through an organized authorization
system to achieve privilege levels on the
secured computers, and their activities are
logged and monitored. In cloud hosted
scenario, the CUG breaks completely. In fact
there is no real CUG - as it becomes virtual
(Virtual CUG or Virtual Private Cloud). The
sessions between users and servers, that were
highly protected on private IP addresses on
CUG LANs, get exposed to public IP addresses
of the Internet. The security controls are out of
the hands of the end customers, as the service
providers own the clouds. The end user files
and data gets spread across multiple physical
hosts, with no identifiers determining the
location of a component of a file/folder and its
data. The service providers, on the other hand,
use real components for the entire cloud and
only virtual components for the end customers.
Hence, personalisation becomes a major
problem, because there is nothing real;
everything is just virtual everywhere - the
authentications, authorizations, accounting, file
locations, database locations, sessions,
application demands, servers, networking, and
everything else that an IT architect can
imagine within an IT infrastructure. The end
users get virtual screens to manage their
personalized work areas in a Virtual Private
Cloud. For mobile cloud computing, the
concept of Cloudlets is used that serves mobile
cloud access for nearest mobile phones and
tablets over minimum possible number of hops
to a massive cloud infrastructure.

The challenge is related to going back to the
olden days of security controls, prevalent in
real CUG environments, and implementing
them on the virtual CUG environments. In
your study, you can pick one of the prominent
security challenges - like access control,
network control, de-militarized zones, web
services control, file/folder security controls,
etc. In fact, you should prefer to choose an area
that can be simulated on a network modelling
and simulation platform - like OPNET, Cisco
Packet Tracer, OMNET++, etc. Do not try to
address more than one areas in your thesis,
because your study would tend to get
generalised. I propose that you should study
the following security problem areas in your
dissertation/thesis project about Cloud
Computing Security. For defining a unique,
narrow, and focussed research topic please
contact us at consulting@etcoindia.co or
consulting@etcoindia.net to get more topic
suggestions and to discuss your own original,
narrow, and focussed research topic with aim,
objectives, and hypotheses / research
questions.

(1) Cross-border flow of data
(2) Data proliferation
(3) Data visibility across virtual boundaries
(4) Identity and privilege threats
(5) Inadequate data backup and recovery
(6) Inadequate risk management by cloud
service providers
(7) Inappropriate services accountability
(8) Insider threats
(9) Internet-based exploits
(10) Lack of auditing and forensics support
(11) Lack of standardisation
(12) Multi-tenancy and virtualisation threats
(13) Network-level threats
(14) Poor user control on their private
computing and storage environments
(15) Unclear ownership of data lifecycle stages
(16) Undetermined physical location of data
(17) Unreliable data availability
(18) Unreliable virtual boundaries
(19) Vendor Lock-in
(20) Weaker boundaries of shared composite
services
(21) Denial of Service (DoS)
(22) Distributed Denial of Service (DDoS)
(simultaneous DoS attacks from multiple
sources)
(23) Attacks on Virtual Machine Monitors
(VMMs)
(24) Virtualization Exploits
(25) Vulnerabilities of HTML5 and embedded
codes in third party websites
(26) Cross-Site Scripting (XSS) breach and
mutation and Cross Site Session Requests
Forgery (XSSRF)
(27) SQL script injections
(28) Cross virtual channel attacks
(29) Attack signatures and attack-like
behaviours
(30) Distributed intrusion mechanisms
(31) Cloud attack surfaces and launchpads
(32) XML scripts and XML data files corruption
[example, Type '0' XSS exploit on Document
Object Models (DOMs)]
(33) Service-oriented system exploits
(34) Coordinated attacks by a network of
attackers
(35) Cyber terrorism through cloud computing
(36) Threats and Vulnerabilities related to
Internet of Things (IoT)
(37) Threats and Vulnerabilities related to
cloud-based manufacturing and controls
systems and to cloud-based supply chains
(38) Hypervisor exploitation risks
(39) Virtual Machines sessions hijacking
(40) Administrator sessions hijacking
(41) Scripts and Code injections in virtual
networking switches and routers in Software
Defined Networking (SDN)
(42) Malicious code writing through regular
and approved cloud-based APIs
(43) Installing sensor scripts for enumerating
and manipulating access control lists in
Software Defined Networking (SDN)
(44) Malware designed for subversion of DNS
responses (DNS poisoning)
(45) Protocol weakness exploitation
(46) Exploiting Openflow controllers and
switches in Software Defined Networking
(SDN)
(47) Eavesdropping and messages hijacking in
the control and management planes in
Software Defined Networking (SDN)
(48) Hijacking the control and management
plane sessions in Software Defined
Networking (SDN)
(49) Eliminating or manipulating the attack
traces for fooling the cloud forensics
(50) Traffic sniffing and spoofing in the data
plane

In addition to the security threat areas, you
may like to study the possible security
solutions in the following study areas related
to Cloud Computing and virtualization
security. For defining a unique, narrow, and
focussed research topic please contact us at
consulting@etcoindia.co or
consulting@etcoindia.net to get more topic
suggestions and to discuss your topic. Further,
we also offer you to develop the "problem
description and statement", "aim, objectives,
research questions", "design of methodology
and methods", and "15 to 25 most relevant
citations per topic" for three topics of your
choice of research areas at a nominal fee.
Such a synopsis shall help you in focussing,
critically thinking, discussing with your
reviewer, and developing your research
proposal. To avail this service, Please Click
Here for more details.

In addition to the security threat areas, you
may like to study the possible security
solutions in the following study areas related
to Cloud Computing and virtualization
security.

(1) Access controls protected within virtual
boundaries
(2) All types of access controls: physical,
logical, networking, systems, and applications
(3) All types of controls against exploits:
firewalls, IDS, IPS, web services filtering, spam
and malware filtering,
(4) Applicable regulations and compliance
needs for cloud user and cloud service
provider organisations
(5) Appropriate usage of data as per
classification and criticality levels
(6) Auditing, monitoring, and assurance of
security controls
(7) Availability levels on cloud computing
(8) Backups and recovery on cloud computing
(9) Certification and assurance of cloud-based
services
(10) Change management on the clouds
(11) Confidentiality, integrity, availability,
reliability, trust, and privacy
(12) Cryptography on the clouds
(13) Data classification as per criticality and
applying multi-level controls
(14) Data discovery, auditing, and
legal/statutory compliance
(15) Data retention and destruction
(16) Defining, implementing, and controlling
data ownership
(17) Incident and problems identification,
reporting, reviewing, and resolution
(18) Information access and handling
procedures and the related non-disclosure
agreements
(19) Management of security resources on the
clouds
(20) Multi-cloud data storage and synchronised
data backups on multiple clouds
(21) Operations continuity on the clouds
(22) Private networks on the clouds
(23) Protection of personal and business data
(24) Requirements of internal personnel and
their roles and responsibilities
(25) Risk management on cloud computing
(26) Security auditing - both internal and
external
(27) Subcontracting on clouds
(28) Systems security on cloud computing
(29) Distributed Intrusion Detection and
Prevention
(30) Agents-based Security (using static and
mobile agents)
(31) Protection of government and defense
networks
(32) Protection of RFIDs and Internet of Things
integrated with cloud computing
(33) Protection of cloud-based manufacturing,
cloud-based process engineering, and
cloud-based controls systems
(34) Protection of cloud-based supply chains
(35) Protection of smart home networks
(36) Identity protection of cloud-based users
(37) Protection of cloud-integrated sensor
networks
(38) Non-proliferation regulations and controls
for cloud-based databases
(39) Privacy and Trust relationships on cloud
computing
(40) Study of Cloud Controls Matrix developed
by Cloud Security Alliance
(41) Study of Cloud Computing Standards
(some of the new standards are listed later in
this article)
(42) Cloud-based intelligence to detect the
emerging threats proactively
(43) Behavioural data mining and analytics to
detect rogue virtual machines
(44) Hybrid security for securing a combination
of physical and virtual information assets
(45) Survival and resilience of sensitive data in
virtual data centres
(46) Securing embedded systems linked with
the clouds
(47) Securing location-based services in mobile
cloud computing
(48) Securing cloud-based data
communications and cloud telephony
(49) Securing cloud-based collaboration tools
(50 Securing XML data files and XML queries
in SaaS
(51) Model-based security for the service
abstraction layer
(52) Model-based security for the cloud
dispatchers and service allocators
(53) Hypervisor-specific security controls
(54) Encrypted message flows in Openflow
management and control layer for virtual
switching
(55) Adaptive traffic monitoring, attack
detection, and mitigation
(56) Dynamic access control lists (replacing
static access control lists)
(57) Baysean inspections and signature-based
intrusion detection at Internet Exchange Points
(IXPs)
(58) Advanced trust relationships between
management and control tools
(59) Securing administrative stations and
Virtual Machine Monitors (VMMs)
(60) Intelligent detection and isolation of rogue
and compromised virtual machines
(61) Dynamic constitution and enforcement of
security policies by mobile intelligent agents
(62) Binary protection algorithms
(63) Advanced transport and storage
encryption and protecting the cryptographic
keys
(64) Advanced security practices in API coding
and application packaging
(65) Advanced security test cases in the
Software Development Life Cycle
(66) Anti-phishing and anti-social-Engineering
methods and techniques for protecting cloud
administrators
(67) Methods and techniques for multi-level
validation of session redirects and forwards
(68) Security of cloud objects references
(69) Detecting and preventing forgeries
through XSS mutations and XSSR (cross site
session requests)
(70) Managing broken sessions and broken
authentication requests
(71) Advanced deceptive techniques to attract
hackers into Honey Pots or Honey Nets
(72) Deep learning of anomalies in embedded
systems in Industrial Internet of Things (both
sensors and actuators)
(73) Correlation of alerts and alarms received
from Industrial Internet of Things to detect
malicious attempts
(74) Integrated mobile security agents in
Industrial Internet of Things (both sensors and
actuators)
(75) Real-time machine learning sensing false
positives in Industrial Alerts and Alarms
received from Industrial Internet of Things

Currently, cloud computing service providers
are operating in three different modes -
Software as a Service (SaaS), Platform as a
Service (PaaS) and Infrastructure as a Service
(IaaS). Security solutions services in cloud
computing is still mystery for the customers
although service providers have implemented
all standard technologies that you can imagine:
stateful inspection firewalls, Intrusion
Detection and Prevention devices, Web
services firewalls, Application firewalls, Spam
filters, Antivirus, Anti-Spyware, Gateway
Level File Inspections, etc. These security
services are integrated through the framework
of Unified Threat Management (UTM).
However, customers are not able to specifically
identify the controls applicable on their
files/folders because they do not know the
physical location of them (as you must be
knowing, files get distributed into multiple
virtual machines spread across multiple data
centres). In this context, a new concept is
evolving. It is called "Security as a Service
(SECaaS). In Security-as-a-service, a service
provider builds a lot of controls for the
customers that can be shared through
"subscription model" (similar to the cloud
computing model) and can assure security for
the customers' assets by seamlessly integrating
their solutions with the Cloud Hosting service
providers. The customer just needs to buy an
Internet leased line connection with dedicated
public IPs to the SECaaS service provider and
will get all the controls applicable on their
hosted environments. Security as a service for
cloud hosting users is a rapidly emerging
concept in which, the security controls for the
end users are managed by a third party, that
allow the user sessions from thousands of
clients through their systems and ensure
optimum protection and personalization. Their
services span from network security controls to
application security controls. The Internet
Leased Circuit Connection to the SECaaS
provider serves as a backhaul connection to the
Cloud Hosting provider with appropriate
peering between the security controls and the
infrastructure maintained by the cloud
provider (at all levels of the OSI seven layers)
and the corresponding client environment for
the customers.

In addition to the suggestions above, please
contact us at consulting@etcoindia.co or
consulting@etcoindia.net to get more topic
suggestions and to discuss your topic. We will
be happy to assist you in developing your
narrow research topic with an original
contribution based on the research context,
research problem, and the research aim, and
objectives. Further, we also offer you to
develop the "problem description and
statement", "aim, objectives, research
questions", "design of methodology and
methods", and "15 to 25 most relevant
citations per topic" for three topics of your
choice of research areas at a nominal fee.
Such a synopsis shall help you in focussing,
critically thinking, discussing with your
reviewer, and developing your research
proposal. To avail this service, Please Click
Here for more details.

Please visit the page on VIRTUALISATION,
CLOUD COMPUTING, AND UNIFIED
THREAT MANAGEMENT SYSTEM to read
more about the fundamental concepts.

With Sincere Regards, Sourabh Kishore.

Apologies for the interruption!! Please
continue reading!!

I will give you an example of
Security-as-a-Service on cloud computing
through Unified Threat Management (UTM).
When you hire E-Mail services from Google
Apps or any other cloud hosted application
service provider, you get a control panel screen
through which you can maintain the mailboxes
for your company. All the configurations can
be triggered through icons. There will be
separate icons through which you can
configure your own security controls, specific
to your own subscription only. Some examples
of the icons are - Account Level Filtering, User
Level Filtering, E-Mail Authentication, Spam
Assassin, SSL configuration panel, etc. Every
cloud hosting user that maintains a secured
business on the Internet is aware of these icons.
These are security controls specific to a
company (virtual closed user group), - but this
doesn't mean that the cloud hosting provider
has installed any dedicated security device for
the company. These devices work in shared
mode for thousands of companies that have
hosted their services on the same cloud. In fact
the cloud hosting provider has implemented
additional configurations to provide dedicated
services to cloud subscribers. Let us take an
example of E-Mail Authentication. Guess what
they would have implemented? - just an LDAP
Server!! What is there in an LDAP server? -
User Accounts, Group Accounts,
Authorizations, Privileges, etc!! Where are the
privileges and authorizations configured? - on
network objects (files, folders, databases, Mail
boxes, etc.)!! Now what they have added on
the cloud? They have added a method to
ensure that a company's domain account has
become a network object for them. How will
this happen? They have created customized
Web Services on E-Mail Servers (like MS
Exchange, Q-Mail, or Send mail) in such a way
that each server can host mailboxes for
multiple domains and there can be a super user
who is the owner of the domain and all
mailboxes under it. To provide privileges to
the super user, they have integrated the LDAP
server with the customized mail server
through appropriate web programming such
that the LDAP server recognizes the domain as
the network object and the super user as its
owner. This customizing also results in a
combined administration panel for both e-mail
server and the LDAP server, to enable the user
company to implement their own security
controls. Similar settings can be implemented
for other services as well. Given the huge
volumes, these security applications (LDAP,
Spam filter, IPS, Web Services Firewalls, etc.)
are massive and hence a Security as a Service
provider is needed to work closely with the
cloud hosting service provider.

Cloud computing hosting can be viewed as
external virtualization, which is an extended IT
infrastructure for companies that are
geographically dispersed. You may like to
study how the principles of IT security
management, IT governance, and IT service
continuity can be fulfilled by keeping some
part of IT services internal and other services
extended to multiple Cloud service providers.
To gauge the principles, you may need help
from some global standards and best practices
as listed below:

(a) ISO 27001 / 27002 - Information Security
(this is related to IT Risk Management as well
with build in controls for IT Business
Continuity and Disaster recovery)
(b) ISO 27017 / 27018 - Information security
standards based on ISO 27001 / ISO 27002
with dedicated controls for virtualisation
network architectures and cloud computing
(c) ISO 27005, COBIT, RISK IT - IT Risk
Management
(d) Val IT - Value proposition to Business by IT
(includes IT Service Continuity)
(e) ITIL Versions 2 and 3 - IT Service
Continuity is an integral part of overall Service
Management Framework
(f) PAS 77 - dedicated standard for IT Service
Continuity Management
(g) ISO 24762:2008 - dedicated standard for
ICT Disaster Recovery Services
(h) Cloud Security Alliance (CSA) set of
controls in the Cloud Controls Matrix (CCM)
drawn from a variety of existing security
standards ensuring cloud security compliance
to diverse regulations

In addition to the suggestions above, please
contact us at consulting@etcoindia.co or
consulting@etcoindia.net to get more topic
suggestions and to discuss your topic. We will
be happy to assist you in developing your
narrow research topic with an original
contribution based on the research context,
research problem, and the research aim, and
objectives. Further, we also offer you to
develop the "problem description and
statement", "aim, objectives, research
questions", "design of methodology and
methods", and "15 to 25 most relevant
citations per topic" for three topics of your
choice of research areas at a nominal fee.
Such a synopsis shall help you in focussing,
critically thinking, discussing with your
reviewer, and developing your research
proposal. To avail this service, Please Click
Here for more details.

Your topics may comprise of these frameworks
combined with actual security controls possible
on cloud hosting through service providers.
The studies may be carried out by studying
various security attributes by modelling and
simulating them on appropriate network
modelling tools (OPNET, Cisco Packet Tracer,
OMNET++, etc.), or by conducting surveys
and interviews of experienced IT professionals
that are managing cloud hosted services for
their end users. Please contact us at
consulting@etcoindia.co or
consulting@etcoindia.net to discuss your
interest area in cloud computing security. We
will help you to formulate appropriate topics,
their descriptions, and your research aims and
objectives, supported by most relevant
literatures. We have helped many students in
completing their research projects on IT
security and IT governance on cloud
computing. There are no dearth of topics as
this is an emerging field that is actively
targeted for academic research studies.
However, it should be kept in mind that the
research studies in this field should yield firm
and actionable outcomes, in the form of IT
security strategies, IT governance strategies,
architectures and designs for the end users of
Cloud Computing Hosting and for the service
providers that are still struggling to convince
the global regulators that cloud computing
security is in no way inferior to traditional self
hosted IT infrastructure security. The
standards and global best practices (listed
above) can definitely add value, although the
implementation plans for cloud hosting end
user companies should evolve from academic
research studies.

In addition to the suggestions above, please
contact us at consulting@etcoindia.co or
consulting@etcoindia.net to get more topic
suggestions and to discuss your topic. We will
be happy to assist you in developing your
narrow research topic with an original
contribution based on the research context,
research problem, and the research aim, and
objectives. Further, we also offer you to
develop the "problem description and
statement", "aim, objectives, research
questions", "design of methodology and
methods", and "15 to 25 most relevant
citations per topic" for three topics of your
choice of research areas at a nominal fee.
Such a synopsis shall help you in focussing,
critically thinking, discussing with your
reviewer, and developing your research
proposal. To avail this service, Please Click
Here for more details.