Security Mechanisms

To deal with security issues, the Cloud provider must build up sufficient controls to provide such
level of security. This part reviews the most important security mechanisms that have been
proposed in the literature to protect Cloud computing systems.

​Security Mechanisms for Cloud Storage

- Identity-based encryption (IBE):
User data needs to be read by the intended users and protected from unauthorized access. To
ensure securely share data for Cloud storage, cryptographic techniques have been researched. One
fundamental
technique is the identity-based encryption scheme, which enables a user specified by an identity
to decrypt data. An Identity Based Encryption (IBE) system is a public key system where the
public key can be an arbitrary string such as an email address. A central authority uses a master
key to issue private keys to identities that request them. The first construction for a
hierarchicalnidentity-based encryption (HIBE) system was proposed by Gentry et al. It predefines
user structure, and decryption keys are created following the structures. It is a generalization of
IBE that mirrors an organizational hierarchy. An identity at level k of the hierarchy tree can issue
private keys to its descendant identities, but cannot decrypt messages intended for other identities.
A user can access a file only if the user's attributes satisfy the file's access
structure.
- Process Isolation
Data Protection focuses on the need of data privacy and isolation, as data from different
customers resides on common data center in Cloud computing platforms. Data needs to be
carefully treated so that it cannot be mixed with another user. Information flow control (IFC) tags
data entering
the system and isolates the data belonging to different users.
- Homomorphic encryption :
Because the execution of programs is distributed by nature in Cloud computing, users cannot be
certain where their input and output data is managed. This raises confidentiality and privacy
issues that are not fully solved by existing security solutions. An approach proposed in uses a
homomorphic token with distributed verification of erasure-coded data towards ensuring data
storage security. This approach supports dynamic operations on data blocks such as: update,
delete and append without data corruption and loss.

The application of Homomorphic encryption is an important brick in Cloud Computing security,

this allows addressing the crucial problem of delivering a program that can be executed by a
third-party without revealing confidential data. The uses of homomorphic encryption have also
been assessed in other contexts where the confidential information is split into multiple pieces
that are processed independently by multiple entities . It lets anyone manipulate what is
encrypted, even without knowing the secret key. It is a form of encryption where a specific
algebraic operation performed on the plain text is equivalent to another (possibly different)
algebraic operation performed on the
ciphertext. Moreover, it is efficient against data modification and server colluding attacks as well
as Byzantine failures. It achieves the storage correctness insurance as well as data error
localization. However, it is still rather impractical due to its high computational complexity and
large communication cost . Malicious server location is possible using the tokens generated
through homomorphic cryptosystems. However, granularity is the most
important weakness of data isolation systems since the existing approaches are not efficient when
the size of the data subject to attacks is small
[1]Homomorphic encryption : is a form of encryption that allows computation on ciphertexts,
generating an encrypted result which, when decrypted, matches the result of the operations as if
they had been performed on the plaintext.

Security Mechanisms for Cloud Networking

Border Gateway Protocol:
In proceeding of complex computer and communication networks, a Border Gateway Protocol
(BGP) architecture has been suggested to detect the cases where an autonomous system may
announce itself wrongly as the destination for all the data that is being transferred over that
network. This allows the implementation of anomaly detection and incident response mechanisms
in Cloud computing environments. GRADUS tool can help to detect the source AS of the
problem and respond. It also gives us the flexibility to run the secure BGP protocol on some of
the autonomous systems in order to protect the whole network. The use of this approach should
be accompanied by additional protection techniques since it is itself vulnerable to DoS attacks.
 Network segmentation:
VMs from different customers may reside in the same physical network through which data
traffic generated by VMs is transported. In order to overcome this issue, techniques as network
virtualization through .
VLAN or other logical network segmentation are applied. It segregates and isolates traffic among
different user groups or subnets. - Encryption mechanism: Customers will need to have a way to
access their resources that are located within the Cloud and be able to manage those resources in
a secure manner. Therefore, it is incumbent upon the Cloud provider to supply the customer with
a management portal that is encrypted. Secure sockets layer (SSL) and transport layer security
(TLS) would be the most common tool for Web traffic.
Encryption
Data, by default, is coded in a readable format known as plaintext. When transmitted over a
network, plaintext is vulnerable to unauthorized and potentially malicious access. The encryption
mechanism is a digital coding system dedicated to preserving the confidentiality and integrity of
data. It is used for encoding plaintext data into a protected and unreadable format. Encryption
technology commonly relies on a standardized algorithm called a cipher to transform original
plaintext data into encrypted data, referred to as ciphertext. 3 Cloud Security Mechanisms.
When encryption is applied to plaintext data, the data is paired with a string of characters called
an encryption key, a secret message that is established by and shared among authorized parties.
The encryption key is used to decrypt the ciphertext back into its original plaintext format. For
example, malicious service agents that attempt traffic eavesdropping are unable to decrypt
messages in transit if they do not have the encryption key.
Digital Signature
The digital signature mechanism is a means of providing data authenticity and integrity through
authentication and non-repudiation. A message is assigned a digital signature prior to
transmission, which is then rendered invalid if the message experiences any subsequent,
unauthorized modifications. A digital signature provides evidence that the message received is
the same as the one created by its rightful sender. Both hashing and asymmetrical encryption are
involved in the creation of a digital signature, which essentially exists as a message digest that
was encrypted by a private key and appended to the original message. The recipient verifies the
signature validity and uses the corresponding public key to decrypt the digital signature, which
produces the message digest
Public Key Infrastructure (PKI)
A common approach for managing the issuance of asymmetric keys is based on the public key
infrastructure (PKI) mechanism, which exists as a system of protocols, data formats, rules, and
practices that enable large-scale systems to securely use public key cryptography. This system is
used to associate public keys with their corresponding key owners (known as public key
identification) while enabling the verification of key validity. PKIs rely on the use of digital
certificates, which are digitally signed data structures that bind public keys to certificate owner
identities, as well as to related information, such as validity periods. Digital certificates are
usually digitally signed by a third-party certificate authority (CA).
Single Sign-On (SSO)
Propagating the authentication and authorization information for a cloud service consumer across
multiple cloud services can be a challenge, especially if numerous cloud services or cloud-based
IT resources need to be invoked as part of the same overall runtime activity. The single sign-on
(SSO)mechanism enables one cloud service consumer to be authenticated by a security broker,
which establishes a security context that is persisted while the cloud service consumer accesses
other cloud services or cloud-based IT resources. Otherwise, the cloud service consumer would
need to re-authenticate itself with every subsequent request. The SSO mechanism essentially
enables mutually independent cloud services and IT resources to generate and circulate runtime
authentication and authorization credentials

Cloud platform security mechanisms

- Security at Application Level :
Security at application level refers to provide security to applications by using software and
hardware resources such that attackers are not able to get control over these applications. DoS is
such kind of attack that affect the software application by sending a lot of request to access the
site and unable to access that site by a legitimate user. Intrusion Detection is most popular method
to protect against the DoS attack. Intrusion Detection: It is a process of detecting such kind of
entities and/or events that could compromise the security of the system. Intrusion detection
system has following types. Server Based IDS: Analyzes activity logs, system calls, application
logs and better view of the monitored system but high vulnerability for an attack on IDS itself.
Network Based IDS: Analyzes communicating nodes, network traffic and poorer view of the
system and low vulnerability for an attack on IDS itself. Integrated IDS: Combination of server
and network based approaches.
- Role based Access Control​​ :
To improve the security resource access or permission is given to subjects (users and processes)
based upon their roles. Basically, role may represent a job function and permissions are
associated with the role which provides simple and scalable control ability. Subject gets access to
perform operations on resources based upon the roles assigned to them. In cloud infrastructure,
Role based Access Control (RBAC) can be enabled for cloud clients by importing user groups
using directory services of the client organization and CSP may use RBAC to control an
administrative access to the hypervisor management system.
- A case of a cloud provider : ​SAP Cloud Platform
SAP offers different security mechanisms for ensuring that only approved users have access to
SAP Cloud Platform applications
● Managing Identities
● User Role Access using SAP Cloud Platform Identity Provisioning
● Authentication and Single Sign-on with OAuth and SAML

The security architecture of SAP Cloud Platform aims to establish security measures that are
among the highest in the industry. At SAP, your data, platform and application security is our top
priority regardless of where you are located in the world. Our aim is to consistently safeguard
your business.