Keywords applicable to this article: dissertation, research, topics, virtual data centre security, cloud
computing security, virtualization security, unified threat management, cloud computing hosting security,
Cloud-Let security, IT security on cloud computing, performance of cloud security.
By: Sourabh Kishore, Chief Consulting Officer
Topic development for Research Projects in Theses and
Dissertations related to Cloud Computing Security, Cloud-Let
Security and Virtualisation Security Frameworks.
Copyright 2011 ETCO INDIA. All Rights Reserved
Cloud computing security is a rapidly emerging research area amidst growing security concerns among the companies availing cloud hosting services for
their critical IT systems. The virtual closed user group (V-CUG) mode of cloud computing operation, upon a massive shared real infrastructure shared among
thousands of clients, is not yet well understood in the academic and even in the professional worlds. There are many unanswered questions because a direct
analogy with self hosted infrastructure systems is not yet established. Regulators across the world are facing tough challenges in allowing the companies to
host their critical IT infrastructures on cloud computing platforms. Protection of user sessions from the threats on the Internet takes us back to the old era of
Zone based Firewall security system which was solved by establishing the Public, Secured and De-Militarised zones. Intrusion Detection and Prevention
systems extended added advantages to the Zone based Security System. However, cloud computing hosting requires the user sessions to traverse the Internet.
Then where does the Zone based Security comes in picture? If this is the only way to access the cloud hosted resources, then what is the solution for secured
access to cloud computing resources? Assuming that IP-VPN tunneling using IKE with IPSec and 3DES/AES encryption is the solution to protecting Internet
exposed user sessions, how many tunnels will the cloud hosting providers terminate at their end? Which VPN aggregator can support millions of tunnels?
What will be the WAN overload? What will be the performance? Is it really feasible having millions of IP-VPN tunnels to secure cloud computing clients?
Please keep in consideration that this is just one area of security because the issues of Server operating systems, LAN, applications, web services, platforms,
etc. security at the cloud hosting end is still unaddressed. What are service providers doing to ensure that one client do not get even accidental access to the
data of another client?
Dear Visitor: Please visit the page detailing SUBJECT AREAS OF SPECIALIZATION pertaining to our services to view the broader perspective of our
offerings for Dissertations and Thesis Projects. Please also visit the page having TOPICS DELIVERED by us.
With Sincere Regards, Sourabh Kishore.
Apologies for the interruption!! Please continue reading!!
Let us begin with the fundamentals. Cloud computing infrastructures employ the same IT components that corporations have been using in their self hosted
infrastructures. However, clouds are deployed at massive scales with virtualization as their core technology. The security threats and vulnerabilities are the
same that the world has been witnessing in self hosted real and virtual infrastructures. In self hosted environments, corporations have kept themselves
secured by operating within CUG (Closed User Group) environments, which are protected from the external world through peripheral devices like Zone based
Firewalls, Intrusion Prevention Systems, Network Admission Control, Anomaly Control, Antivirus/Antispyware, etc. All users in the CUG go through an
organized authorization system to achieve privilege levels on the secured computers, and their activities are logged and monitored. In cloud hosted scenario,
the CUG breaks completely. In fact there is no real CUG - as it becomes virtual. The sessions between users and servers, that were highly protected on private
IP addresses on CUG LANs, get exposed to public IP addresses of the Internet. The security controls are out of the hands of the end customers, as the service
providers own the clouds. The end user files and data gets spread across multiple physical hosts, with no identifiers determining the location of a component
of a file/folder and its data. The service providers, on the other hand, use real components for the entire cloud and only virtual components for the end
customers. Hence, personalisation becomes a major problem, because there is nothing real; everything is just virtual everywhere - the authentications,
authorizations, accounting, file locations, database locations, sessions, application demands, servers, etc. The end users get virtual screens to manage their so
called personalized cloudlet on a massive cloud infrastructure.
The challenge is related to going back to the olden days of security controls, prevalent in real CUG environments, and implementing them on the virtual CUG
environments. In your study, you can pick one of the prominent security challenges - like access control, network control, de-militarized zones, web services
control, file/folder security controls, etc. In fact, you should prefer to choose an area that can be simulated on a network modelling and simulation platform -
like OPNET, Cisco Packet Tracer, OMNET++, etc. Do not try to address more than one areas in your thesis, because your study would tend to get generalised. I
propose that you should study the following areas in your dissertation/thesis project about Cloud Computing Security:
You may like to study data security services in Cloud Computing environments. Data Security services in cloud computing is still mystery for the customers
although service providers have implemented all standard technologies that you can imagine: stateful inspection firewalls, Intrusion Detection and
Prevention devices, Web services firewalls, Application firewalls, Spam filters, Antivirus, Anti-Spyware, Gateway Level File Inspections, etc. But customers are
not able to specifically identify the controls applicable on their files/folders because they do not know the physical location of them (as you must be knowing,
files get distributed into multiple virtual machines spread across multiple data centres). In this context, a new concept is evolving. It is called "Unified Threat
Management System (UTM System)". In UTM, a separate service provider builds a lot of controls for the customers that can be shared through "subscription
model" (similar to the cloud computing model) and can assure security for the customers' assets by seamlessly integrating their UTM solutions with the Cloud
Hosting service providers. The customer just needs to buy a leased line connection to the UTM provider and will get all the controls applicable on their hosted
environments. The model appears like the following:
Currently, cloud computing service providers are operating in three different modes - Software as a Service (SaaS), Platform as a Service (PaaS) and
Infrastructure as a Service (IaaS). However, a fourth mode is emerging rapidly to provide security solutions on cloud computing infrastructures - Unified
Threat Management as a Service (UTMaaS). Unified threat management (UTM) service for cloud hosting users is a rapidly emerging concept in which, the
security controls for the end users are managed by a third party, that allow the user sessions from thousands of clients through their systems and ensure
optimum protection and personalization. Their services span from network security controls to application security controls. Cloud hosting customers may
need a Leased Circuit Connection to the UTM provider, that serves as a backhaul connection to the Cloud Hosting provider with appropriate peering between
the security controls and the infrastructure maintained by the cloud provider (at all levels of the OSI seven layers) and the corresponding client environment
for the customers.
Please visit the page on VIRTUALISATION, CLOUD COMPUTING, AND UNIFIED THREAT MANAGEMENT SYSTEM to read more about the
With Sincere Regards, Sourabh Kishore.
Apologies for the interruption!! Please continue reading!!
I will give you an example. When you hire E-Mail services from Google Apps or any other cloud hosted application service provider, you get a control panel
screen through which you can maintain the mailboxes for your company. All the configurations can be triggered through icons. There will be separate icons
through which you can configure your own security controls, specific to your own subscription only. Some examples of the icons are - Account Level Filtering,
User Level Filtering, E-Mail Authentication, Spam Assassin, SSL configuration panel, etc. Every cloud hosting user that maintains a secured business on the
Internet is aware of these icons. These are security controls specific to a company (virtual closed user group), - but this doesn't mean that the cloud hosting
provider has installed any dedicated security device for the company. These devices work in shared mode for thousands of companies that have hosted their
services on the same cloud. In fact the cloud hosting provider has implemented additional configurations to provide dedicated services to cloud subscribers.
Let us take an example of E-Mail Authentication. Guess what they would have implemented? - just an LDAP Server!! What is there in an LDAP server? - User
Accounts, Group Accounts, Authorizations, Privileges, etc!! Where are the privileges and authorizations configured? - on network objects (files, folders,
databases, Mail boxes, etc.)!! Now what they have added on the cloud? They have added a method to ensure that a company's domain account has become a
network object for them. How will this happen? They have created customized Web Services on E-Mail Servers (like MS Exchange, Q-Mail, or Send mail) in
such a way that each server can host mailboxes for multiple domains and there can be a super user who is the owner of the domain and all mailboxes under it.
To provide privileges to the super user, they have integrated the LDAP server with the customized mail server through appropriate web programming such
that the LDAP server recognizes the domain as the network object and the super user as its owner. This customizing also results in a combined administration
panel for both e-mail server and the LDAP server, to enable the user company to implement their own security controls. Similar settings can be implemented
for other services as well. Given the huge volumes, these security applications (LDAP, Spam filter, IPS, Web Services Firewalls, etc.) are massive and hence a
Unified Threat Management (UTM) service provider is needed to work closely with the cloud hosting service provider.
Cloud computing hosting can be viewed as external virtualization, which is an extended IT infrastructure for companies that are geographically dispersed.
You may like to study how the principles of IT security management, IT governance, and IT service continuity can be fulfilled by keeping some part of IT
services internal and other services extended to multiple Cloud service providers. To gauge the principles, you may need help from some global standards and
best practices as listed below:
(a) ISO 27001/27002 - Information Security (this is related to IT Risk Management as well with build in controls for IT Business Continuity and Disaster
(b) ISO 27005, COBIT, RISK IT - IT Risk Management
(c) Val IT - Value proposition to Business by IT (includes IT Service Continuity)
(d) ITIL Versions 2 and 3 - IT Service Continuity is an integral part of overall Service Management Framework
(e) PAS 77 - dedicated standard for IT Service Continuity Management
(f) ISO 24762:2008 - dedicated standard for ICT Disaster Recovery Services
Your topics may comprise of these frameworks combined with actual security controls possible on cloud hosting through UTM service providers. The studies
may be carried out by studying various security attributes by modelling and simulating them on appropriate network modelling tools (OPNET, Cisco Packet
Tracer, OMNET++, etc.), or by conducting surveys and interviews of experienced IT professionals that are managing cloud hosted services for their end users.
Please contact us at email@example.com or firstname.lastname@example.org to discuss your interest area in cloud computing security. We will help you to
formulate appropriate topics, their descriptions, and your research aims and objectives, supported by most relevant literatures. We have helped many students
in completing their research projects on IT security and IT governance on cloud computing. There are no dearth of topics as this is an emerging field that is
actively targeted for academic research studies. However, it should be kept in mind that the research studies in this field should yield firm and actionable
outcomes, in the form of IT security strategies, IT governance strategies, architectures and designs for the end users of Cloud Computing Hosting and for the
service providers that are still struggling to convince the global regulators that cloud computing security is in no way inferior to traditional self hosted IT
infrastructure security. The standards and global best practices (listed above) can definitely add value, although the implementation plans for cloud hosting
end user companies should evolve from academic research studies.
A Management Consultancy and Research Services Firm